Background reading on Hoare Logic 

Mike Gordon 


Learning Guide for the CST Part II course. This document aims to 
provide background reading to support the lectures - think of it as a free 
downloadable textbook. Chapters 1-5 introduce classical ideas of specifica¬ 
tion and proof of programs due to Floyd and Hoare. 1 Although much of 
the material is old - see the dates on some of the cited references - it is 
still a foundation for current research. Chapter 6 is a very brief introduction 
to program refinement; this provides rules to ‘calculate’ an implementation 
from a Hoare-style specification. Chapter 7 is an introduction to the ideas 
of separation logic, an extension of Hoare logic for specifying and verifying 
programs that manipulate pointers. Separation logic builds on early ideas of 
Burstall, but its modern form is due to O’Hearn and Reynolds. 

Note that there may be topics presented in the lectures that are not cov¬ 
ered in this document and there may be material in this document that is 
not related to the topics covered in the lectures. For example, the topics 
of program refinement and separation logic may only be described very su¬ 
perficially, if at all. The examination questions will be based on the 
material presented in the lectures. 

The Part II course Hoare Logic has evolved from an earlier Part II course, 
whose web page can be found on my home page (www. cl. cam. ac. uk/~mj eg). 
Some exam questions from that course might be good exercises (but note that 
some are based on material not covered in this course). A separate document 
containing exercises for the current course is available from the web page. 

Warning. The material here consists of reorganized extracts from lecture 
notes for past courses, together with new material. There is a fair chance that 
notational inconsistencies, omissions and errors are present. If you discover 
such defects please send details to Mike. GordonOcl. cam.ac.uk. 

Acknowledgements. Thanks to Martin Vechev and John Wickerson for 
finding many errors (some serious) in a previous draft of these notes and also 
for suggestions for improving the text. 


MJCG March 2, 2015 


1 Hoare Logic is sometimes called Floyd-Hoare Logic, due to the important contributions 
of Floyd to the underlying ideas. 
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Chapter 1 


Program Specification 


A simple programming language containing assignments, condi¬ 
tionals, blocks and WHILE -loops is introduced. This is then used to 
illustrate Hoare’s notation for specifying the partial correctness of 
programs. Hoare’s notation uses formal logic notation to express 
conditions on the values of program variables. This notation is 
described informally and illustrated with examples. 


1.1 Introduction 


In order to prove the correctness of a program mathematically one must first 
specify what it means for it to be correct. In this chapter a notation for 
specifying the desired behaviour of imperative programs is described. This 
notation is due to C.A.R. Hoare. 

Executing an imperative program has the effect of changing the state , 
which, until Chapter 7, we take to be the values of program variables. To 
use such a program, one first establishes an initial state by setting the values 
of some variables to values of interest. One then executes the program. This 
transforms the initial state into a final one. One then inspects the values 
of variables in the final state to get the desired results. For example, to 
compute the result of dividing y into x one might load x and y into program 
variables X and Y, respectively. One might then execute a suitable program 
(see Example 7 in Section 1.4) to transform the initial state into a final state 
in which the variables Q and R hold the quotient and remainder, respectively. 

The programming language used in these notes is described in the next 
section. 
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1.2 A little programming language 

Programs are built out of commands like assignments, conditionals etc. The 
terms ‘program’ and ‘command’ are really synonymous; the former will only 
be used for commands representing complete algorithms. Here the term 
‘statement’ is used for conditions on program variables that occur in correct¬ 
ness specifications (see Section 1.3). There is a potential for confusion here 
because some writers use this word for commands (as in ‘for-statement’ [14]). 

We now describe the syntax (i.e. form) and semantics (i.e. meaning) of 
the various commands in our little programming language. The following 
conventions are used: 

1. The symbols V, Vi, ... , V n stand for arbitrary variables. Examples of 
particular variables are X, R, Q etc. 

2. The symbols E, E 1: ... , E n stand for arbitrary expressions (or terms). 
These are things like X + 1, \/2 etc. which denote values (usually 
numbers). 

3. The symbols S, $ i, ... , S n stand for arbitrary statements. These are 
conditions like X < Y, X 2 = 1 etc. which are either true or false. 

4. The symbols C, Ci, ... , C n stand for arbitrary commands of our 
programming language; these are described in the rest of this section. 

Terms and statements are described in more detail in Section 1.5. 

1.2.1 Assignments 

Syntax: V : = E 

Semantics: The state is changed by assigning the value of the term E to 
the variable V. All variables are assumed to have global scope. 

Example: X:=X+1 


This adds one to the value of the variable X. 
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1.2.2 Sequences 

Syntax: C \; • • • ; C n 

Semantics: The commands C\, ■ ■ • , C n are executed in that order. 
Example: R:=X; X:=Y; Y:=R 

The values of X and Y are swapped using R as a temporary vari¬ 
able. This command has the side effect of changing the value of 
the variable R to the old value of the variable X. 

1.2.3 Conditionals 

Syntax: IF S THEN G'i ELSE C 2 

Semantics: If the statement S is true in the current state, then G'i is exe¬ 
cuted. If S is false, then C' 2 is executed. 

Example: IF X<Y THEN MAX:=Y ELSE MAX:=X 

The value of the variable MAX it set to the maximum of the values 
of X and Y. 

1.2.4 WHILE-commands 

Syntax: WHILE S DO C 

Semantics: If the statement S is true in the current state, then C is executed 
and the WHILE-command is then repeated. If S is false, then nothing is done. 
Thus C is repeatedly executed until the value of S becomes false. If S never 
becomes false, then the execution of the command never terminates. 

Example: WHILE ->(X=0) DO X:= X-2 

If the value of X is non-zero, then its value is decreased by 2 and 
then the process is repeated. This WHILE-command will terminate 
(with X having value 0) if the value of X is an even non-negative 
number. In all other states it will not terminate. 




10 


Chapter 1. Program Specification 


1.2.5 Summary of syntax 

The syntax of our little language can be summarised with the following spec¬ 
ification in BNF notation 1 

<command> 

::= < variable> : = <term> 

| <command>; ... ; <command> 

j IF <statement> THEN <command> ELSE <command> 

| WHILE <statement> DO <command> 

Note that: 

• Variables, terms and statements are as described in Section 1.5. 

• The BNF syntax is ambiguous: for example, it does not specify whether 
IF S', THEN Ci ELSE C 2 ; C 3 means (IF S', THEN C 1 ELSE C 2 ) ; C 3 
or means IF Si THEN C\ ELSE (C' 2 ; C'3). We will clarify, whenever 
necessary, using brackets. 

1.2.6 Historical note 

The old Part II course Specification and Verification I was based on a lan¬ 
guage similar to the one described above, but with additional features: blocks 
(with local variables), FOR-commands and arrays. Blocks and FOR-commands 
don’t add fundamentally new ideas so they will not be covered; arrays are 
better handled using separation logic (see Section 7). In the old course I 
used BEGIN and END to group commands, whereas here I just use paren¬ 
theses. Thus previously I would have written BEGIN C,; C 2 END instead of 
(Ci;C 2 ). I mention this as it is may help in reusing old examination ques¬ 
tions as exercises for this course. 


1.3 Hoare’s notation 

In a seminal paper [13] C.A.R. Hoare introduced the notation 2 {P} C {Q}, 
which is sometimes called a Hoare triple, for specifying what a program does. 
In such a Hoare triple: 

1 BNF stands for Backus-Naur form; it is a well-known notation for specifying syntax. 
2 Actually, Hoare’s original notation was P {C} Q not {P} C {Q}, but the latter form 
is now more widely used. 
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• C is a program from the programming language whose programs are 
being specified (the language in Section 1.2 in our case). 

• P and Q are conditions on the program variables used in C. Conditions 
on program variables will be written using standard mathematical no¬ 
tations together with logical operators like A (‘and’), V (‘or’), -i (‘not’) 
and =>• (‘implies’). These are described further in Section 1.5. 

We say {P} C {Q} is true, if whenever C is executed in a state satisfying 
P and if the execution of C terminates, then the state in which C’s execution 
terminates satisfies Q. 

Example: {X = 1} X:=X+1 {X = 2}. Here P is the condition that the value 
of X is 1, Q is the condition that the value of X is 2 and C is the assignment 
command X:=X+1 (i.e. ‘X becomes X+l’). {X = 1} X:=X+1 {X = 2} is true. 

An expression {P} C {Q} is called a partial correctness specification ; P 
is called its precondition and Q its postcondition. 

These specifications are ‘partial’ because for {P} C {Q} to be true it is 
not necessary for the execution of C to terminate when started in a state 
satisfying P. It is only required that if C terminates, then Q holds. 

A stronger kind of specification is a total correctness specification. There 
is no standard notation for such specifications. We shall use [P] C [Q\. 

A total correctness specification [ P] C [Q] is true if and only if the fol¬ 
lowing two conditions apply: 

(i) If C is executed in a state satisfying P, then C terminates. 

(ii) After termination Q holds. 

The relationship between partial and total correctness can be informally ex¬ 
pressed by the equation: 

Total correctness = Termination + Partial correctness. 

Total correctness is what we are ultimately interested in, but it is usu¬ 
ally easier to prove it by establishing partial correctness and termination 
separately. 

Termination is often straightforward to establish, but there are some well- 
known examples where it is not. For example, the unsolved Collatz conjecture 
is related to whether the program below terminates for all values of X (see 
the exercise below): 
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WHILE X>1 DO 

IF ODD(X) THEN X := (3xX)+l ELSE X := X DIV 2 

(The expression X DIV 2 evaluates to the result of rounding down X/2 to 
a whole number, though since the ELSE-arm of the conditional here is only 
taken if X is even, no rounding is actually needed.) 

The famous mathematician Paul Erdos said about the Collatz conjecture: 
“Mathematics is not yet ready for such problems.” He offered $500 for its 
solution. 3 


1.4 Some examples 

The examples below illustrate various aspects of partial correctness specifi¬ 
cation. 

In Examples 5, 6 and 7 below, T (for ‘true’) is the condition that is always 
true. In Examples 3, 4 and 7, A is the logical operator ‘and’, i.e. if Pi and 
P 2 are conditions, then P\ A P 2 is the condition that is true whenever both 
Pi and P 2 hold. 

1. {X = 1} Y :=X {Y = 1} 

This says that if the command Y: =X is executed in a state satisfying the 
condition X = 1 (i.e. a state in which the value of X is 1), then, if the 
execution terminates (which it does), then the condition Y = 1 will hold. 
Clearly this specification is true. 

2. {X = 1} Y :=X {Y = 2} 

This says that if the execution of Y: =X terminates when started in a state 
satisfying X = 1, then Y = 2 will hold. This is clearly false. 

3. {X=x A Y=y} R:=X; X:=Y; Y: =R {X=y A Y=x} 

This says that if the execution of R: =X; X: =Y; Y: =R terminates (which it 
does), then the values of X and Y are exchanged. The variables x and y, 
which don’t occur in the command and are used to name the initial values 
of program variables X and Y, are called logical , auxiliary or ghost variables. 

4. {X=x A Y=y} X: =Y; Y: =X {X=y A Y=x} 

This says that X: =Y; Y: =X exchanges the values of X and Y. This is not true. 

3 http://en.wikipedia.org/wiki/Collatz_conjecture 
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5. {T} C {Q} 

This says that whenever C halts, Q holds. 

6. {P} C {T} 

This specihcation is true for every condition P and every command C (be¬ 
cause T is always true). 

7. {T} 

R:=X; 

Q :=0; 

WHILE Y<R DO 
(R:=R-Y; Q:=Q+1) 

{R < YA X = R + (Y X Q)} 

This is {T} C {R < Y A X = R+(YxQ)} where C is the command indicated 
by the braces above. The specification is true if whenever the execution of 
C halts, then Q is quotient and R is the remainder resulting from dividing Y 
into X. It is true (even if X is initially negative!). 

In this example a program variable Q is used. This should not be confused 
with the Q used in 5 above. The program variable Q (notice the font) ranges 
over numbers, whereas the postcondition Q (notice the font) ranges over 
statements. In general, we use typewriter font for particular program 
variables and italic font for variables ranging over statements. Although this 
subtle use of fonts might appear confusing at first, once you get the hang of 
things the difference between the two kinds of ‘Q’ will be clear (indeed you 
should be able to disambiguate things from context without even having to 
look at the font). 

1.5 Terms and statements 

The notation used here for expressing pre- and postconditions is based on 
first-order logic. This will only be briefly reviewed here as readers are as¬ 
sumed to be familiar with it. 

The following are examples of atomic statements. 

T, F, X=l, R < Y, X = R+(YxQ) 

Statements are either true or false. The statement T is always true and the 
statement F is always false. The statement X = 1 is true if the value of X 
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is equal to 1. The statement R < Y is true if the value of R is less than the 
value of Y. The statement X = R+(YxQ) is true if the value of X is equal to 
the sum of the value of R with the product of Y and Q. 

Statements are built out of terms like: 

X, 1, R, Y, R+(YxQ) , YxQ 

Terms denote values such as numbers and strings, unlike statements which 
are either true or false. Some terms, like 1 and 4+5, denote a fixed value, 
whilst other terms contain variables like X, Y, Z etc. whose value can vary. 
We will use conventional mathematical notation for terms, as illustrated by 
the examples below: 


X, Y, Z, 

1, 2, 325, 

-X, -(X+t), (XxY)+Z, 

V(l+X 2 ), X!, sin(X), rem(X,Y) 

T and F are atomic statements that are always true and false respectively. 
Other atomic statements are built from terms using predicates. Here are 
some more examples: 

ODD(X) , PRIME(3) , X=l, (X+l) 2 > X 2 

ODD and PRIME are examples of predicates and = and > are examples of 
infixed predicates. The expressions X, 1, 3, X+l, (X+l) 2 , X 2 are examples of 
terms. 

Compound statements are built up from atomic statements using the 
following logical operators: 

-i (not) 

A (and) 

V (or) 

=>• (implies) 

<+> (if and only if) 

Suppose P and Q are statements, then: 
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• ->P is true if P is false, and false if P is true. 

• P A Q is true whenever both P and Q are true. 

• P V Q is true if either P or Q (or both) are true. 

• P =>• Q is true if whenever P is true, then Q is true also. By con¬ 

vention we regard P =>• Q as being true if P is false. In fact, 
it is common to regard P => Q as equivalent to ~>P V Q: 
however, some philosophers called intuitionists disagree with 
this treatment of implication. 

• P Q is true if P and Q are either both true or both false. In fact 

P Q is equivalent to (P =>• Q) A (Q P). 

Examples of statements built using the connectives are: 

ODD (X) V EVEN (X) X is odd or even. 

-i(PRIME(X) =>- ODD(X)) It is not the case that if X is 
prime, then X is odd. 

X < Y =t X < Y 2 If X is less than or equal to Y, 

then X is less than or equal to 
Y 2 . 

To reduce the need for brackets it is assumed that -> is more binding than A 
and V, which in turn are more binding than => and <^>. For example: 

->P A Q is equivalent to (->P) A Q 

P A Q => R is equivalent to (P A Q) => R 

PAQtt ~>R V S' is equivalent to (FAQ) (( _, -R) V S) 
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Chapter 2 


Hoare logic 


The idea of formal proof is discussed. Hoare logic (also called 
Floyd-Hoare logic) is then introduced as a method for reasoning 
formally about programs. 


In the last chapter three kinds of expressions that could be true or false were 
introduced: 

(i) Partial correctness specifications {P} C {Q}. 

(ii) Total correctness specifications [P] C [Q]. 

(iii) Statements of mathematics (e.g. (X + l) 2 = X 2 + 2 x X + 1). 

It is assumed that the reader knows how to prove simple mathematical state¬ 
ments like the one in (iii) above. Here, for example, is a proof of this fact. 


1. 

(X + i) 2 

= (X+l) x (X + l) 

Definition of () 2 . 

2. 

(X + l) x (X+l) 

= (X+ 1) x X + (X+ 1) x 1 

Left distributive law 
of x over +. 

3. 

(X + l) 2 

= (X+ 1) x X + (X+ 1) x 1 

Substituting line 2 
into line 1. 

4. 

(X + 1) x 1 

= X + 1 

Identity law for 1. 

5. 

(X + 1) x X 

=XxX+lxX 

Right distributive law 
of x over +. 

6. 

(X + l) 2 

=XxX+lxX+X+l 

Substituting lines 4 
and 5 into line 3. 

7. 

1 x X 

= X 

Identity law for 1. 

8. 

(X + l) 2 

=XxX+X+X+l 

Substituting line 7 
into line 6. 

9. 

X x X 

= X 2 

Definition of Q 2 . 

10. 

X + X 

= 2 x X 

2=1+1, distributive law. 

11. 

(X + l) 2 

= X 2 + 2xX + 1 

Substituting lines 9 
and 10 into line 8. 
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This proof consists of a sequence of lines, each of which is an instance 
of an axiom (like the definition of () 2 ) or follows from previous lines by a 
rule of inference (like the substitution of equals for equals). The statement 
occurring on the last line of a proof is the statement proved by it (thus 
(X + l) 2 = X 2 + 2 x X + 1 is proved by the proof above). 

To construct formal proofs of partial correctness specifications axioms 
and rules of inference are needed. This is what Hoare logic provides. The 
formulation of the deductive system is due to Hoare [13], but some of the 
underlying ideas originated with Floyd [9]. 

A proof in Hoare logic is a sequence of lines, each of which is either an 
axiom of the logic or follows from earlier lines by a rule of inference of the 
logic. 

The reason for constructing formal proofs is to try to ensure that only 
sound methods of deduction are used. With sound axioms and rules of infer¬ 
ence, one can be confident that the conclusions are true. On the other hand, 
if any axioms or rules of inference are unsound then it may be possible to 
deduce false conclusions; for example: 


1. v'-l x -1 

2. V-l x -1 

3. V-l x -1 

4. V-l x -1 

5. \/I 

6. 1 


= y/—l x — 1 Reflexivity of =. 

= (\/—T) x (-\/—T) Distributive law of over x. 
= T) 2 Definition of () 2 . 

= — 1 definition of y. 

= -l As-lx-1 = 1. 

= -l As \/I = 1. 


A formal proof makes explicit what axioms and rules of inference are used 
to arrive at a conclusion. It is quite easy to come up with plausible rules for 
reasoning about programs that are actually unsound. Proofs of correctness of 
computer programs are often very intricate and formal methods are needed 
to ensure that they are valid. It is thus important to make fully explicit the 
reasoning principles being used, so that their soundness can be analysed. 

For some applications, correctness is especially important. Examples in¬ 
clude life-critical systems such as nuclear reactor controllers, car braking sys¬ 
tems, fly-by-wire aircraft and software controlled medical equipment. There 
was a legal action resulting from the death of several people due to radiation 
overdoses by a cancer treatment machine that had a software bug [15]. For¬ 
mal proof of correctness provides a way of establishing the absence of bugs 
when exhaustive testing is impossible (as it almost always is). 

The Hoare deductive system for reasoning about programs will be ex- 
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plained and illustrated. The mathematical analysis of the soundness and 
completeness of the system is discussed in Section 4. 

2.1 Axioms and rules of Hoare logic 

As discussed at the beginning of this chapter, a formal proof of a statement is 
a sequence of lines ending with the statement and such that each line is either 
an instance of an axiom or follows from previous lines by a rule of inference. 
If S' is a statement (of either ordinary mathematics or Hoare logic) then we 
write b S to mean that S has a proof. The statements that have proofs are 
called theorems. As discussed earlier, in these notes only the axioms and 
rules of inference for Hoare logic are described; we will thus simply assert 
b S if S is a theorem of mathematics without giving any formal justification. 
Of course, to achieve complete rigour such assertions must be proved, but for 
details of how to do this are assumed known (e.g. from the Logic and Proof 
course). 

The axioms of Hoare logic are specified below by schemas which can be 
instantiated to get particular partial correctness specifications. The inference 
rules of Hoare logic will be specified with a notation of the form: 

b Si, ... , b s n 
b 5 

This says the conclusion b S may be deduced from the b 5j, ... , b S n , which 
are the hypotheses of the rule. The hypotheses can either all be theorems of 
Hoare logic (as in the sequencing rule below), or a mixture of theorems of 
Hoare logic and theorems of mathematics (as in the rule of preconditioning 
strengthening described in Section 2.1.2). 

2.1.1 The assignment axiom 

The assignment axiom represents the fact that the value of a variable V after 
executing an assignment command V: =E equals the value of the expression 
E in the state before executing it. To formalise this, observe that if a state¬ 
ment P is to be true after the assignment, then the statement obtained by 
substituting E for V in P must be true before executing it. 

In order to say this formally, define P[E/V\ to mean the result of re¬ 
placing all occurrences of V in P by E. Read P [E/V\ as l P with E for V\ 
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For example, 

(X+l > X) [Y+Z/X] = ((Y+Z)+l > Y+Z) 

The way to remember this notation is to remember the ‘cancellation law’ 
VIE/VI = E 

which is analogous to the cancellation property of fractions 
v x (e/v) — e 

The Hoare assignment axiom 

b {PIE/VI} V:=E {P} 

Where V is any variable, E is any expression, P is any statement and 
the notation PIE/ V] denotes the result of substituting the term E for 
all occurrences of the variable V in the statement P. 

Instances of the assignment axiom are: 

1. b {Y = 2} X := 2 {Y = X} 

2. b {X + 1 = n + 1} X := X + 1 {X = n + 1} 

3. b {E = E} X := E {X = E} (if X does not occur in E). 

Many people feel the assignment axiom is ‘backwards’ from what they 
would expect. Two common erroneous intuitions are that it should be as 
follows: 

(i) b {P} V-.=E {PlV/El}. 

Where the notation PIV/E] denotes the result of substituting V for 
E in P. 

This has the clearly false consequence that b {X=0} X:=l {X=0}, since 
the (X=0) [X/l] is equal to (X=0) as 1 doesn’t occur in (X=0). 

(ii) b {P}V:=E {PIE/VI}. 

This has the clearly false consequence b {X=0} X:=l {1=0} which 
follows by taking P to be X=0, V to be X and E to be 1. 
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The fact that it is easy to have wrong intuitions about the assignment 
axiom shows that it is important to have rigorous means of establishing the 
validity of axioms and rules. We will go into this topic later in Chapter 4 
where we give a formal semantics of our little programming language and 
then to prove that the axioms and rules of inference of Hoare logic are sound. 
Of course, this process will only increase our confidence in the axioms and 
rules to the extent that we believe the correctness of the formal semantics. 
The simple assignment axiom above is not valid for ‘real’ programming lan¬ 
guages. For example, work by G. Ligler [17] showed that it failed to hold in 
six different ways for the (now obsolete) language Algol 60. 

There is a ‘forwards’ version of the assignment axioms which is some¬ 
times called Floyd’s assignment axiom because it corresponds to the original 
semantics of assignment due to Floyd [9]. In this rule below, the existen¬ 
tially quantified variable v is the value of V in the state before executing 
the assignment (the initial state). The postcondition asserts that after the 
assignment, the value of V is the value of E evaluated in the initial state 
(hence E[v/V\) and the precondition evaluated in the initial state (hence 
Plv/V~\) continues to hold. 

The Floyd assignment axiom 

b {P}V:=E{3v. (V = E[v/Vl) A PLv/V]} 

Where v is a new variable (i.e. doesn’t equal V or occur in P or E) 

An example instance is: 

b {X=l} X:=X+1 {3v. X = X+l[u/X] A X=l[u/X]} 

Simplifying the postcondition of this: 

b {X=l} X:=X+1 {3v. X = X+l[u/X] A X=l[u/X]} 
b {X=l} X:=X+1 {3u. X = u + 1 A v = 1} 
b {X=l} X:=X+1 {3v. X=l + 1 A v = 1} 
b {X=l} X:=X+1 {X = 1 + 1 A 3v. v = 1} 
b {X=l} X:=X+1 {X = 2 A T} 
b {X=l} X:=X+1 {X = 2} 

The Floyd assignment axiom is equivalent to standard one but harder to 
use because of the existential quantifier that it introduces. However, it is an 
important part of separation logic. 
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The Hoare assignment axiom is related to weakest preconditions (see 
Section 4.3.3) and the Floyd assignment axiom to strongest postconditions 
(see Section 4.4.1). As will be explained in the sections mentioned in the 
previous sentence: 

Hoare assignment axiom: {wlp (V: =E, Q) } V: =E { Q } 

Floyd assignment axiom: { P } V: =E {sp (V: =E, P) } 

where wlpCC.Q) and sp (C',P) denote the weakest liberal precondition and 
strongest postcondition, respectively (see sections 4.3.3 and 4.4.1). 

One way that our little programming language differs from real languages 
is that the evaluation of expressions on the right of assignment commands 
cannot ‘side effect’ the state. The validity of the assignment axiom depends 
on this property. To see this, suppose that our language were extended so 
that it contained expressions of the form (C;E), where C is a command and 
E an expression. Such an expression is evaluated by first executing C and 
then evaluating E and returning the resulting value as the value of ( C\E ). 
Thus the evaluation of the expression may cause a ‘side effect’ resulting from 
the execution of C. For example (Y: =1; 2) has value 2, but its evaluation 
also ‘side effects’ the variable Y by storing 1 in it. If the assignment axiom 
applied to expressions like ( C\E ), then it could be used to deduce: 

b {Y=0} X:=(Y:=1; 2) {Y=0} 

(since (Y=0) [E/X] = (Y=0) as X does not occur in (Y=0)). This is clearly 
false, as after the assignment Y will have the value 1. 

2.1.2 Precondition strengthening 

The next rule of Hoare logic enables the preconditions of (i) and (ii) on page 
20 to be simplified. Recall that 

h Si, ... , b s n 
b s 

means that b S'can be deduced from b Si,..., b S n . 

Using this notation, the rule of precondition strengthening is 
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Precondition strengthening 

b P=>P', b {P'}C{Q} 
h {P} C {Q} 


Examples 

1. From the arithmetic fact b X=n =>• X+l=n+l, and 2 on page 20 it follows 
by precondition strengthening that 

b {X = n} X := X + 1 {X = n + 1}. 

The variable n is an example of an auxiliary (or ghost ) variable. As described 
earlier (see page 12), auxiliary variables are variables occurring in a partial 
correctness specification {P} C [Q] which do not occur in the command C. 
Such variables are used to relate values in the state before and after C is 
executed. For example, the specification above says that if the value of X is 
n, then after executing the assignment X:=X+1 its value will be n+1. 

2. From the logical truth b T (E=E ), and 3 on page 20 one can deduce 
that if X is not in E then: 


b {T} X :=E {X =E} 


2.1.3 Postcondition weakening 

Just as the previous rule allows the precondition of a partial correctness 
specification to be strengthened, the following one allows us to weaken the 
postcondition. 


Postcondition weakening 

b {P}C{Q'}, b Q'^Q 
h {P} C {<?} 
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Example: Here is a little formal proof. 


b {R=X A 0=0} Q: =0 {R=X A Q=0} 
b R=X => R=X A 0=0 
b {R=X} Q=0 {R=X A Q=0} 
b R=X A Q=0 =t> R=X+(Y X Q) 
b {R=X} Q:=0 {R=X+(Y x Q)} 


By the assignment axiom. 

By pure logic. 

By precondition strengthening. 
By laws of arithmetic. 

By postcondition weakening. 


The rules precondition strengthening and postcondition weakening are 
sometimes called the rules of consequence. 

2.1.4 Specification conjunction and disjunction 

The following two rules provide a method of combining different specifications 
about the same command. 

Specification conjunction 

I- {Pi} C {<3i}, I- {P 2 } C {&} 
b {P, A P 2 } C {<?, A <? 2 } 

Specification disjunction 

b { P i} C {Qi}, b {P 2 } C {Q 2 } 
b {P 1 V P 2 } C {Q 1 V Q 2 } 


These rules are useful for splitting a proof into independent bits. For ex¬ 
ample, they enable b {P} C {Q\ AQ 2 } to be proved by proving separately 
that both b {P} C {Qi} and b {P} C {Q 2 }. 

The rest of the rules allow the deduction of properties of compound com¬ 
mands from properties of their components. 

2.1.5 The sequencing rule 

The next rule enables a partial correctness specification for a sequence C\ ; C 2 
to be derived from specifications for C\ and C 2 . 
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The sequencing rule 

I- {P} Cl {<3}, I- {<3} C 2 {fi} 

I- { P} Ci;C 2 {if} 

Example: By the assignment axiom: 

(i) b {X=xAY=y} R:=X {R=xAY=y} 

(ii) b {R=xAY=y} X:=Y {R=xAX=y} 

(iii) b {R=xAX=y} Y:=R {Y=xAX=y} 

Hence by (i), (ii) and the sequencing rule 

(iv) b {X=xAY=y} R:=X; X:=Y {R=xAX=y} 

Hence by (iv) and (iii) and the sequencing rule 

(v) b {X=xAY=y} R:=X; X:=Y; Y:=R {Y=xAX=y} 


2.1.6 The derived sequencing rule 

The following rule is derivable from the sequencing and consequence rules. 


The derived sequencing rule 


b 

1- {Pl} Cl {QJ 

b Qi =► Pi 

1 {P 2 } C 2 {Q 2 } 

b Q 2 ^Ps 

b {Pn} C n {Q n } 

b Qn^Q 

b {P}C i; ... 

; {Q} 


The derived sequencing rule enables (v) in the previous example to be 
deduced directly from (i), (ii) and (iii) in one step. 





26 


Chapter 2. Hoare logic 


2.1.7 The conditional rule 


The conditional rule 


b {PAS} C x {Q}, b {P A ^S} C 2 {Q} 
b {P} IF S THEN Cl ELSE C 2 {Q} 


Example: Suppose we are given that 

(i) b X>Y =*> max(X,Y)=X 

(ii) b Y>X => max(X,Y)=Y 

Then by the conditional rule (and others) it follows that 

b {T} IF X>Y THEN MAX:=X ELSE MAX:=Y {MAX=max(X,Y)} 


2.1.8 The WHILE-rule 

If b {PAS'} C {P}, we say: P is an invariant of C whenever S holds. The 
WHILE-rule says that if P is an invariant of the body of a WHILE-command 
whenever the test condition holds, then P is an invariant of the whole WHILE- 
command. In other words, if executing C once preserves the truth of P, then 
executing C any number of times also preserves the truth of P. 

The WHILE-rule also expresses the fact that after a WHILE-command has 
terminated, the test must be false (otherwise, it wouldn’t have terminated). 


The WHILE-rule 

b {PAS} C {P} 
b {P} WHILE S DO C {P A ^S} 


Example: By earlier rules: 
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b (X=R+(YxQ)} R:=R-Y; Q:=Q+1 (X=R+(YxQ)} 

Hence by precondition strengthening 

b (X=R+(YxQ)AY<R} R: =R-Y; Q:=Q+1 (X=R+(YxQ)} 
Hence by the WHILE-rule (with P = ‘X=R+(YxQ)’) 

(i) b (X=R+(YxQ)} 

WHILE Y<R DO (R:=R-Y; Q:=Q+1) 

{X=R+ (Yx Q) A-i (Y <R) } 

By applying the assignment axiom twice, it is easy to deduce that 

(ii) b {T} R:=X; Q:=0 (X=R+(YxQ)} 

Hence by (i) and (ii), the sequencing rule and postcondition weakening 

b {T} 

R:=X; 

Q:=0; 

WHILE Y<R DO (R:=R-Y; Q:=Q+1) 

{R<YAX=R+ ( Y X Q )} 


With the exception of the WHILE-rule, all the axioms and rules described 
so far are sound for total correctness as well as partial correctness. This is 
because the only commands in our little language that might not terminate 
are WHILE-commands. Consider now the following proof: 

1. b {T} X:=0 {T} (assignment axiom) 

2. b {TAT}X:=0{T} (precondition strengthening) 

3. b {T} WHILE T DO X:=0{TA^T} (2 and the WHILE-rule) 

If the WHILE-rule were true for total correctness, then the proof above 
would show that: 


b [T] WHILE T DO X:=0 [T A -.T] 

but this is clearly false since WHILE T DO X: =0 does not terminate, and even 
if it did then T A -iT could not hold in the resulting state. 
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2.1.9 The FOR-rule 

It is quite hard to capture accurately the intended semantics of FOR- 
commands in Floyd-Hoare logic. Axioms and rules are given here that appear 
to be sound, but they are not necessarily complete (see Section ??). An early 
reference on the logic of FOR-commands is Hoare’s 1972 paper [14]; a com¬ 
prehensive treatment can be found in Reynolds [?]. 

The intention here in presenting the FOR-rule is to show that Floyd-Hoare 
logic can get very tricky. All the other axioms and rules were quite straight¬ 
forward and may have given a false sense of simplicity: it is very difficult 
to give adequate rules for anything other than very simple programming 
constructs. This is an important incentive for using simple languages. 

One problem with FOR-commands is that there are many subtly different 
versions of them. Thus before describing the FOR-rule, the intended semantics 
of FOR-commands must be described carefully. In these notes, the semantics 
of 

FOR V:=E 1 UNTIL E 2 DO C 

is as follows: 

(i) The expressions E 1 and E 2 are evaluated once to get values ei and e 2 , 
respectively. 

(ii) If either e\ or e 2 is not a number, or if e\ > e 2 , then nothing is done. 

(iii) If e\ < e 2 the FOR-command is equivalent to: 

BEGIN VAR V ; 

V:=e i; C; V:=ei+1; C ; ... ; V:=e 2 ; C 

END 

i.e. C is executed (e 2 —ei)+l times with V taking on the sequence 
of values ei, ei+1, ... , e 2 in succession. Note that this description 
is not rigorous: l e{ and ‘e 2 ’ have been used both as numbers and 
as expressions of our little language; the semantics of FOR-commands 
should be clear despite this. 

FOR-rules in different languages can differ in subtle ways from the one 
here. For example, the expressions Ei and E 2 could be evaluated at each 
iteration and the controlled variable V could be treated as global rather than 
local. Note that with the semantics presented here, FOR-commands cannot 
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go into infinite loops (unless, of course, they contain non-terminating WHILE- 
commands). 

To see how the FOR-rule works, suppose that 
b {P} C {PIV+1/V1} 

Suppose also that C does not contain any assignments to the variable V. If 
this is the case, then it is intuitively clear (and can be rigorously proved) 
that 

b {(V = v)}C{(V = v)} 
hence by specification conjunction 

b {P A(V = v)} C {PIV+l/V] A(U = v)} 

Now consider a sequence 
V:=v ; C. 

By Example 2 on page 23, 

b {Plv/V]}V:=v{P A(U = u)} 

Hence by the sequencing rule 

b {PLv/VI} V:=v, C {PLV+l/V] A(U = v)} 

Now it is a truth of logic alone that 

b P[V+1/V"\ A(V — v) => Plv+1/Vl 
hence by postcondition weakening 

b {Plv/V]} V:=v, C {Plv+l/V]} 

Taking v to be e l7 ei+1, ..., e 2 

b {P[e i/y]} V:=e i; C {P[e i+l/E]} 
b {PCd-l/V]} V :=ei+l ; C {P[ ei +2/E] } 

b {P [e 2 /V] } V: =e 2 ; C {P [e 2 +l/E]} 

Hence by the derived sequencing rule: 

{Plei/V]} V :=e i; C; V ... ; H:=e 2 ; C {P [e 2 +l/H]} 

This suggests that a FOR-rule could be: 

b {P} C {PIV+ 1/TP] } 

b {P lEi/V] } FOR V:=Ei UNTIL E 2 DO C {P[P 2 + l/Vl} 
Unfortunately, this rule is unsound. To see this, first note that: 
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1. b {Y+l=Y+l} X:=Y+1 {X=Y+l} 

2. b {T} X:=Y+1 {X= Y+l} 

3. b X=Y T 

4. b {X=Y} X:=Y+1 {X=Y+1} 

Thus if P is ‘X=Y’ then: 


(assignment axiom) 
(1 and precondition strengthening) 
(logic: ‘anything implies true’) 
(2 and precondition strengthening) 


b {P} X:=Y+1 {P[Y+1/Y]} 

and so by the FOR-rule above, if we take V to be Y, Ei to be 3 and E 2 to be 
1, then 


b { X=3, } FOR Y:=3 UNTIL 1 DO X:=Y+1 { X=2, } 

P [3/Y] P [1+1/Y] 

This is clearly false: it was specified that if the value of E\ were greater than 
the value of E 2 then the FOR-command should have no effect, but in this 
example it changes the value of X from 3 to 2. 

To solve this problem, the FOR-rule can be modified to 

b {P} C {PIV+l/V]} 

b {PlEi/\T\ A£i< E 2 } FOR V-.=E x UNTIL E 2 DO C {P LE 2 +l/V] } 

If this rule is used on the example above all that can be deduced is 
b {X=3 A 3_g_l } FOR Y:=3 UNTIL 1 DO X:=Y+1 {X=2} 

never true! 

This conclusion is harmless since it only asserts that X will be changed if the 
FOR-command is executed in an impossible starting state. 

Unfortunately, there is still a bug in our FOR-rule. Suppose we take P to 
be ‘Y=T, then it is straightforward to show that: 

b {Y=d} Y:=Y-1 { Y+l=l } 

P P[ Y+l/Y] 

so by our latest FOR-rule 

b { ^1=1, A 1 < 1} FOR Y:=l UNTIL 1 DO Y:=Y-1 { 2=T } 

P[ 1/Y] P [1+1/Y] 
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Whatever the command does, it doesn’t lead to a state in which 2=1. The 
problem is that the body of the FOR-command modifies the controlled vari¬ 
able. It is not surprising that this causes problems, since it was explicitly 
assumed that the body didn’t modify the controlled variable when we mo¬ 
tivated the FOR-rule. It turns out that problems also arise if any variables 
in the expressions Pi and P 2 (which specify the upper and lower bounds) 
are modified. For example, taking P to be Z=Y, then it is straightforward to 
show 

b {^Z^Y,} Z:=Z+1 { Z=Y+1 } 

P P [Y+l/Y] 

hence the rule allows us the following to be derived: 

b { s Z=l / A 1 < Z} FOR Y:=l UNTIL Z DO Z:=Z+1 { Z=Z+1 } 

P [l/Y] P[Z+l/Y] 

This is clearly wrong as one can never have Z=Z+1 (subtracting Z from both 
sides would give 0=1). One might think that this is not a problem because 
the FOR-command would never terminate. In some languages this might be 
the case, but the semantics of our language were carefully defined in such a 
way that FOR-commands always terminate (see the beginning of this section). 

To rule out the problems that arise when the controlled variable or vari¬ 
ables in the bounds expressions, are changed by the body, we simply impose 
a side condition on the rule that stipulates that the rule cannot be used in 
these situations. A debugged rule is thus: 


The FOR-rule 

b {P A (Pi < V) A (V < P 2 )} C {PIV+1/V1} 
b {P[Pi/1/]A(Pi<P 2 )} FOR V := E 1 UNTIL E 2 DO C {P[E 2 +l/V~\} 

where neither V, nor any variable occurring in Ei or E 2 , is assigned to in 
the command C. 


This rule does not enable anything to be deduced about FOR-commands 
whose body assigns to variables in the bounds expressions. This precludes 
such assignments being used if commands are to be reasoned about. The 
strategy of only defining rules of inference for non-tricky uses of constructs 
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helps ensure that programs are written in a perspicuous manner. It is possible 
to devise a rule that does cope with assignments to variables in bounds 
expressions, but it is not clear whether it is a good idea to have such a rule. 

The FOR-axiom 

To cover the case when E 2 < Ei, we need the FOR-axiom below. 


The FOR-axiom 

h {PA (E 2 < £ 1 )} FOR V := E x UNTIL E 2 DO C {P} 

This says that when E 2 is less than E l the FOR-command has no effect. 
Example: By the assignment axiom and precondition strengthening 
b {X = ((N-l)xN) DIV 2} X: =X+N (X=(Nx(N+l)) DIV 2} 
Strengthening the precondition of this again yields 


b {(X=( (N-lxN) DIV 2) A(1<N)A(N<M)} X:=X+N (X=(Nx(N+l)) DIV 2} 

Hence by the FOR-rule 

b {(X=((l-l)xl) DIV 2)A(1<M)} 

FOR N:=l UNTIL M DO X:=X+N 
{X=(Mx (M+l)) DIV 2} 

Hence 

b {(X=0) A(1<M)} FOR N:=l UNTIL M DO X:=X+N (X=(Mx(M+l)) DIV 


Note that if 

(i) b {P} C {PLV+l/V]}, or 

(ii) b {P A (Ei < V )} C {PlV+l/V]}, or 
(hi) b {P A(V < E 2 )} C {PlV+l/Vl} 

then by precondition strengthening one can infer 
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b {PA(£i <V)A(V <E 2 )} C {PLV+1/V1} 

The separate FOR-rule and FOR-axiom are a bit clunky. A nice treatment 
suggested by John Wickerson is the following: 


Wickerson’s FOR-rule 

b p RIEi/V] , b R AV>E 2 Q, b {RAV<E 2 } C {RIV+l/V]} 
b {P} FOR V := E x UNTIL E 2 DO C {Q} 

where neither V, nor any variable occurring in E 1 or E 2: is assigned to in 
the command C. 


Yet another alternative FOR-rule has been suggested by Bob Tennent: 


Tennent’s FOR-rule 

b {PLV-1/V1 A (Ad <V) MV < E 2 )} C {P} 
b {PlEi-l/VI A(^i-1<E 2 )} FOR V := E x UNTIL E 2 DO C {P[E 2 /V1} 

where neither V, nor any variable occurring in E\ or E 2 , is assigned to in 
the command C. 


This rule also has the property that the “special case” of executing the 
loop body 0 times can normally be handled without use of the FOR-axiom. 
Justify this claim. 

It is clear from the discussion above that there are various options for 
reasoning about FOR-commands in Floyd-Hoare logic. It may well be that 
one could argue for a ‘best’ approach (though, as far as I know, there is 
no consensus on this for our toy language, which is not surprising as FOR 
loops in real languages are more complex). The point is that designing 
rules for constructs that go beyond the simple core language of assignment, 
sequencing, conditionals and WHILE-loops is tricky and may involve personal 
preferences. 
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2.1.10 Arrays 

At the end of Section 2.1.1 it is shown that the naive array assignment axiom 

b {PiE z JA{E 1 )'\} A(Ei) := E 2 {P} 

does not work, because of the possibility that changes to A(X) may also 
change A(Y), A(Z), ... (since X might equal Y, Z, ...). 

The solution, due to Hoare, is to treat an array assignment 

A (£ i ):=£ 2 

as an ordinary assignment 

A := A{Ei<—E 2 } 

where the term A{Ei<—E 2 } denotes an array identical to A, except that the 
i?i-th component is changed to have the value E 2 . 

Thus an array assignment is just a special case of an ordinary variable 
assignment. 


The array assignment axiom 

b {PIA{E 1 ^E 2 }/A'\} A{E 1 )-E 2 {P} 

Where A is an array variable, E\ is an integer valued expression, P is any 
statement and the notation A{Ei<—E 2 } denotes the array identical to A, 
except that the value at E 1 is E 2 . 


In order to reason about arrays, the following axioms, which define the 
meaning of the notation A{Ei<—E 2 }, are needed. 


The array axioms 

b A{E 1 ^E 2 }(E 1 ) = e 2 

e^e 3 => b A{E 1 ^E 2 }(E 3 ) = A(E 3 ) 
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Example: We show 

b {A(X)=x A A(Y)=y} 

BEGIN 
VAR R; 

R := A(X); 

A(X) := A(Y); 

A(Y) := R 
END 

{A(X)=y A A(Y)=x} 

Working backwards using the array assignment axiom: 

b {A{Y-<—R} (X)=y A A{Y-<—R} (Y)=x) 

A(Y) := R 
{A(X)=y A A(Y)=x} 

By precondition strengthening using b A{Ya- R}(Y) = R 

b {A{Yt-R}(X)=y A R=x} 

A(Y) := R 
{A(X)=y A A(Y)=x} 

Continuing backwards 

b {A{Xt—A(Y)}{Yt—R}(X)=y A R=x} 

A(X) := A(Y) 

{A{Yt-R}(X)=y A R=x} 

b {A{Xt—A(Y)}{Yt—A(X)}(X)=y A A(X)=x} 

R := A(X) 

{A{Xt—A(Y)}{Yt—R}(X)=y A R=x} 

Hence by the derived sequencing rule: 

b {A{Xt—A(Y)}{Yt—A(X)}(X)=y A A(X)=x} 

R := A(X); A(X) := A(Y); A(Y) := R 
{A(X)=y A A(Y)=x} 

By the array axioms (considering the cases X=Y and X^Y separately), it 
follows that: 


b A{X-<—A(Y)}{Y-<—A(X)}(X) = A(Y) 
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Hence: 


b {A(Y)=y A A(X)=x} 

R := A(X); A(X) := A(Y); A(Y) := R 
{A(X)=y A A(Y)=x} 

The desired result follows from the block rule. 


Example: Suppose C sort is a command that is intended to sort the first n 
elements of an array. To specify this formally, let SORTED (A,n) mean that: 

A(l) < A(2) < . . . < A(n) 

A hrst attempt to specify that C sort sorts is: 

{1<N} C sort {SORTED(A,N)} 

This is not enough, however, because SORTED(A,N) can be achieved by simply 
zeroing the hrst N elements of A. 

It is necessary to require that the sorted array is a rearrangement, or permu¬ 
tation, of the original array. 

To formalize this, let PERM (A, A', N) mean that A(l), A(2),. .., A{n) is a 
rearrangement of A' ( 1 ), A' (2),..., A'{n). 

An improved specification that C sort sorts is then 

{l<N A A=a} C sort {SORTED(A,N) A PERM(A,a,N)} 

However, this still is not correct 

b {l<N A A=a} 

N:=l 

{SORTED(A,N) A PERM(A,a,N)} 

It is necessary to say explicitly that N is unchanged also. A correct specifi¬ 
cation is thus: 

{l<N A A=a A N=n} C sort {SORTED(A,N) A PERM(A,a,N) A N=n} 



Mechanizing Program 
Verification 


Chapter 3 


The architecture of a simple program verifier is described. Its 
operation is justified with respect to the rules of Hoare logic. 


After doing only a few examples, the following two things will be painfully 
clear: 

(i) Proofs are typically long and boring (even if the program being verified 
is quite simple). 

(ii) There are lots of fiddly little details to get right, many of which are 
trivial (e.g. proving b (R=X A Q=0) (X = R + YxQ)). 

Many attempts have been made (and are still being made) to automate 
proof of correctness by designing systems to do the boring and tricky bits of 
generating formal proofs in Hoare logic. Unfortunately logicians have shown 
that it is impossible in principle to design a decision procedure to decide 
automatically the truth or falsehood of an arbitrary mathematical statement 
[10]. However, this does not mean that one cannot have procedures that will 
prove many useful theorems. The non-existence of a general decision proce¬ 
dure merely shows that one cannot hope to prove everything automatically. 
In practice, it is quite possible to build a system that will mechanize many 
of the boring and routine aspects of verification. This chapter describes one 
commonly taken approach to doing this. 

Although it is impossible to decide automatically the truth or falsity of 
arbitrary statements, it is possible to check whether an arbitrary formal 
proof is valid. This consists in checking that the results occurring on each 
line of the proof are indeed either axioms or consequences of previous fines. 
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Since proofs of correctness of programs are typically very long and boring, 
they often contain mistakes when generated manually. It is thus useful to 
check proofs mechanically, even if they can only be generated with human 
assistance. 


3.1 Overview 

In the previous chapter it was shown how to prove {P}C{Q} by proving 
properties of the components of C and then putting these together (with the 
appropriate proof rule) to get the desired property of C itself. For example, 
to prove b {P}Ci;C 2 {Q} first prove b {P}C' 1 {.R} and b {R}C 2 {Q} (for 
suitable R), and then deduce b {P}Ci;C 2 {Q} by the sequencing rule. 

This process is called forward proof because one moves forward from 
axioms via rules to conclusions. In practice, it is more natural to work back¬ 
wards: starting from the goal of showing {P}C{Q} one generates subgoals, 
subsubgoals etc. until the problem is solved. For example, suppose one wants 
to show: 

b {X=x A Y=y} R:=X; X:=Y; Y:=R {Y=x A X=y} 

then by the assignment axiom and sequencing rule it is sufficient to show the 
subgoal 

b {X=x A Y=y} R:=X; X:=Y {R=x A X=y} 

(because b {R=x A X=y} Y:=R {Y=x A X=y}). By a similar argument this 
subgoal can be reduced to 

b {X=x A Y=y} R:=X {R=x A Y=y} 

which clearly follows from the assignment axiom. 

This chapter describes how such a goal oriented method of proof can be 
formalised. 

The verification system described here can be viewed as a proof checker 
that also provides some help with generating proofs. The following diagram 
gives an overview of the system. 
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human expert 


vc generator 


theorem prover 


human expert 


The system takes as input a partial correctness specification annotated 
with mathematical statements describing relationships between variables. 
From the annotated specification the system generates a set of purely math¬ 
ematical statements, called verification conditions (or VCs). In Section 3.5 
it is shown that if these verification conditions are provable, then the original 
specification can be deduced from the axioms and rules of Hoare logic. 

The verification conditions are passed to a theorem prover program which 
attempts to prove them automatically; if it fails, advice is sought from the 
user. We will concentrate on those aspects pertaining to Hoare logic and say 
very little about theorem proving here. 

The aim of much current research is to build systems which reduce the 
role of the slow and expensive human expert to a minimum. This can be 
achieved by: 

• reducing the number and complexity of the annotations required, and 

• increasing the power of the theorem prover. 
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The next section explains how verification conditions work. In Section 3.5 
their use is justified in terms of the axioms and rules of Hoare logic. Besides 
being the basis for mechanical verification systems, verification conditions 
are a useful way of doing proofs by hand. 


3.2 Verification conditions 

The following sections describe how a goal oriented proof style can be for¬ 
malised. To prove a goal {P}C{Q}, three things must be done. These will 
be explained in detail later, but here is a quick overview: 

(i) The program C is annotated by inserting into it statements (often called 
assertions ) expressing conditions that are meant to hold at various 
intermediate points. This step is tricky and needs intelligence and a 
good understanding of how the program works. Automating it is a 
problem of artificial intelligence. 

(ii) A set of logic statements called verification conditions (VCs for short) 
is then generated from the annotated specification. This process is 
purely mechanical and easily done by a program. 

(iii) The verification conditions are proved. Automating this is also a prob¬ 
lem of artificial intelligence. 

It will be shown that if one can prove all the verification conditions gen¬ 
erated from {P}C{Q} (where C is suitably annotated), then b {P}C{Q}. 

Since verification conditions are just mathematical statements, one can 
think of step 2 above as the ‘compilation’, or translation, of a verification 
problem into a conventional mathematical problem. 

The following example will give a preliminary feel for the use of verifica¬ 
tion conditions. 

Suppose the goal is to prove (see the example on page 26) 

{ 1 } 

R:=X; 

Q:=0; 

WHILE Y<R DO (R:=R-Y; Q:=Q+1) 

{X = R+YxQ A R<Y} 
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This first step ((i) above) is to insert annotations. A suitable annotated 
specification is: 

m 

R:=X; 

Q:=0; {R=X A Q=0} 4—Pi 
WHILE Y<R DO {X = R+YxQ} 4—P 2 
(R:=R-Y; Q:=Q+1) 

{X = R+YxQ A R<Y} 

The annotations Pi and P 2 state conditions which are intended to hold when¬ 
ever control reaches them. Control only reaches the point at which Pi is 
placed once, but it reaches P 2 each time the WHILE body is executed and 
whenever this happens P 2 (i.e. X=R+YxQ) holds, even though the values of R 
and Q vary. P 2 is an invariant of the WHILE-command. 

The second step ((ii) above), which has yet to be explained, will generate 
the following four verification conditions: 

(i) T *=► (X=X A 0=0) 

(ii) (R=X A Q=0) => (X = R+(YxQ)) 

(iii) (X = R+(YxQ)) A Y<R) => (X = (R-Y) + (Yx (Q+l))) 

(iv) (X = R+(YXQ)) A -i(Y<R) =* (X = R+(YxQ) A R<Y) 

Notice that these are statements of arithmetic; the constructs of our pro¬ 
gramming language have been ‘compiled away’. 

The third step ((iii) above) consists in proving these four verification 
conditions. These are all well within the capabilities of modern automatic 
theorem provers. 

3.3 Annotation 

An annotated command is a command with statements (called assertions) 
embedded within it. A command is said to be properly annotated if state¬ 
ments have been inserted at the following places: 

(i) Before each command Ci (where i > 1) in a sequence C\ ; C 2 ; ... ; C n 
which is not an assignment command, 
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(ii) After the word DO in WHILE commands. 

Intuitively, the inserted assertions should express the conditions one expects 
to hold whenever control reaches the point at which the assertion occurs. 

A properly annotated specification is a specification {P}C{Q} where C 
is a properly annotated command. 

Example: To be properly annotated, assertions should be at points © and 
© of the specification below: 

{X=n} 

Y:=l; ^© 

WHILE X^O DO 4—© 

(Y:=YxX; X:=X-1) 

{X=0 A Y=n!} 

Suitable statements would be: 

at ®: {Y = 1 A X = n} 
at ©: {YxX! = n!} 


The verification conditions generated from an annotated specification 
{P}C{Q} are described by considering the various possibilities for C in turn. 
This process is justified in Section 3.5 by showing that b {P}C{Q} if all the 
verification conditions can be proved. 

3.4 Verification condition generation 

In this section a procedure is described for generating verification conditions 
for an annotated partial correctness specification {P}C{Q}. This procedure 
is recursive on C. 


Assignment commands 

The single verification condition generated by 
{P}V-.‘E{Q} 
is 

P => QIE/V ] 
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Example: The verification condition for 

{X=0} X:=X+1 {X=l} 


is 


X=0 =► (X+l)=l 


(which is clearly true). 


Conditionals 

The verification conditions generated from 

{P} IF S THEN Ci ELSE C 2 {Q} 
are 

(i) the verification conditions generated by 

{P A S} Ci {Q} 

(ii) the verification conditions generated by 

{P A C 2 {Q} 


If Ci ; ... ; C n is properly annotated, then (see page 41) it must be of 
of the two forms: 


1. Ci) ... ; C n _i){R}C n , or 

2. Cd ... )C n -i)V := E. 

where, in both cases. & : ... 1 is a DroDerlv annotated command. 
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Sequences 

1. The verification conditions generated by 

{P}C i; ...;CU; WCUQ} 

(where C n is not an assignment) are: 

(a) the verification conditions generated by 

{P}C l] ...-,C n -l {R} 

(b) the verification conditions generated by 

m c n {q} 

2. The verification conditions generated by 

{P} \ C n _i ; V: =E {Q} 

are the verification conditions generated by 

{P} Cu ... ;C' n _ 1 {QIE/V1} 


Example: The verification conditions generated from 

{X=x A Y=y} R:=X; X:=Y; Y:=R{X=y A Y=x} 
are those generated by 

{X=x A Y=y} R:=X; X:=Y {(X=y A Y=x) [R/Y]} 
which, after doing the substitution, simplifies to 

{X=x A Y=y} R:=X; X:=Y {X=y A R=x} 

The verification conditions generated by this are those generated by 
{X=x A Y=y} R:=X {(X=y A R=x) [Y/X]} 


diich, after doing the substitution, simplifies to 
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{X=x A Y=y} R:=X {Y=y A R=x}. 

The only verification condition generated by this is 

X=x A Y=y =* (Y=y A R=x) [X/R] 
which, after doing the substitution, simplifies to 

X=x A Y=y => Y=y A X=x 

which is obviously true. 

A correctly annotated specification of a WHILE-command has the form 
{P} WHILE S DO {R} C {Q} 

Following the usage on page 26, the annotation R is called an invariant. 



Example: The verification conditions for 
{R=X A Q=0} 

WHILE Y<R DO {X=R+YxQ} 
(R:=R-Y; Q=Q+1) 

{X = R+(YxQ) A R<Y} 

are: 


(i) R=X A Q=0 =► (X = R+(YxQ)) 
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(ii) X = R+YxQ A -i(Y<R) =>• (X = R+(YxQ) A R<Y) 

together with the verification condition for 

{X = R+(YxQ) A (Y<R)} 

(R:=R-Y; Q:=Q+1) 

(X=R+(YxQ)} 

which consists of the single condition 

(iii) X = R+(YxQ) A (Y<R) =>• X = (R-Y) + (Yx (Q+l)) 

The WHILE-command specification is thus true if (i), (ii) and (iii) hold, i.e. 

h {R=X A Q=0} 

WHILE Y<R DO 

(R:=R-Y; Q:=Q+1) 

{X = R+(YxQ) A R<Y} 

if 


h R=X A Q=0 => (X = R+(YxQ)) 

and 

h X = R+(YXQ) A -i(Y<R) => (X = R+(YxQ) A R<Y) 

and 

h X = R+(YXQ) A (Y<R) =>• X = (R-Y) + (Yx (Q+l)) 


3.5 Justification of verification conditions 

It will be shown in this section that an annotated specification {P}C{Q} 
is provable in Hoare logic (i.e. b {P}C{Q}) if the verification conditions 
generated by it are provable. This shows that the verification conditions are 
sufficient , but not that they are necessary. In fact, the verification conditions 
are the weakest sufficient conditions, but we will neither make this more 
precise nor go into details here. An in-depth study of preconditions can be 
found in Dijkstra’s book [8]. 

It is easy to show that the verification conditions are not necessary, i.e. 
that the verification conditions for {P}C{Q} not being provable doesn’t 



3.5. Justification of verification conditions 


47 


imply that b {P}C{Q} cannot be deduced. For example, the verification 
conditions from the annotated specification {T} WHILE F DO {F} X:=0 {T} 
are not provable, but this Hoare triple is provable in Hoare logic. 

The argument that the verification conditions are sufficient will be by 
induction on the structure of C. Such inductive arguments have two parts. 
First, it is shown that the result holds for assignment commands. Second, it 
is shown that when C is not an assignment command, then if the result holds 
for the constituent commands of C (this is called the induction hypothesis ), 
then it holds also for C. The first of these parts is called the basis of the 
induction and the second is called the step. From the basis and the step it 
follows that the result holds for all commands. 

Assignments 

The only verification condition for {P}V:=E{Q} is P => Q IE/V"\. If this 
is provable, then as b {Q [E/V] }V:—E{Q} (by the assignment axiom on 
page 20) it follows by precondition strengthening (page 22) that b {P}V := 
E{Q}. 

Conditionals 

If the verification conditions for {P} IF S THEN C 1 ELSE C 2 {Q} are prov¬ 
able, then the verification conditions for both {P A 5'} C\ {Q} and 
{P A -P} C 2 {Q} are provable. By the induction hypothesis we can assume 
that b {P A S'} Ci {Q} and b {P A -P} C 2 {Q}. Hence by the 
conditional rule (page 26) b {P} IF S THEN Ci ELSE C 2 {Q}. 

Sequences 

There are two cases to consider: 

(i) If the verification conditions for {P} Ci; ... ;C n . i;{P}C n {Q} are 
provable, then the verification conditions for {P} Ci; ... ;C n _i {P} 
and {P} C n {Q} must both be provable and hence by induction we 
have b {P} Ci; ... ;C n _! {P} and b {P} C n {Q}. Hence by the 
sequencing rule (page 24) b {P} C\ ; ... ; C n -i;C n {Q}. 

(ii) If the verification conditions for {P} C±; ... ;C n _\;V := E {Q} are 
provable, then it must be the case that the verification conditions for 
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{P} C\] ... \ C n -1 {Q IE /VI } are also provable and hence by induction 
we have b {P} C\\ ... ;(7 n _i {QIE/V"\}. It then follows by the 
assignment axiom that b {Q IE/V~\ } V := E {Q}, hence by the 
sequencing rule b {P} Cj ; ... ;C n -i;V := E{Q}. 

WHILE-commands 

If the verification conditions for {P} WHILE S DO {P} C {Q} are provable, 
then b P =>• P, b (PA ~>S) Q and the verification conditions for 
{P A S'}C'{P} are provable. By induction b {P A P}(7{P}, hence by 
the WHILE-rule (page 26) b {P} WHILE S DO C {P A ~<S}, hence by the 
consequence rules (see page 24) b {P} WHILE S DO C {Q}. 



Chapter 4 


Soundness and Completeness 


The question of whether the axioms and rules of Hoare logic are 
correct (soundness) and sufficient (completeness) is investigated. 
This requires the meaning (semantics) of the programming lan¬ 
guage to be formulated explicitly so that the semantics of Hoare 
triples can be rigorously defined. 


4.1 Semantics 

A command C transforms an initial state into a final state (or fails to ter¬ 
minate). For the language described so far there is at most one final state 
reachable from a given initial state - i.e. commands are deterministic - but 
this will not be the case later, when we add storage allocation to our lan¬ 
guage. There are several essentially equivalent ways to represent the meaning 
of commands mathematically. We will use relations, but partial functions are 
often used. Use of relations is associated with operational semantics and par¬ 
tial functions with denotational semantics, however this is not rigid: denota- 
tional semantics can use relations as denotations and operational semantics 
can inductively define functions. In fact, in Section 4.1.2 below, we give a 
denotational semantics of commands in which the denotations are relations. 

The various styles of semantics are largely just different ways of repre¬ 
senting the same mathematical ideas. Some mathematical representations 
are better suited for some purposes and other representations for others. 
The semantics I give below may or may not correspond to semantics you 
have seen before in earlier courses. If it seems different, then a good exercise 
is to think about how it is related. 

We are going to represent the meaning of a command C by a binary 
relation on the set of states: .sq is related to s 2 in this relation iff when C is 
executed in state s i it terminates in state s 2 . 
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There are several ways of representing relations mathematically and al¬ 
though it doesn’t really matter which one is chosen, it may help avoid confu¬ 
sion in what follows if we say a little about these alternative representations 
here, before diving into specific details. 

Introductory books on set theory usually represent relations as sets of 
ordered pairs, so x is related to y by relation R iff (x, y) G R. Thus a binary 
relation R between sets X and Y is a subset of X x Y, i.e. R C ( X x Y) or, 
equivalently, R G V[X x Y), where V is the powerset operator. If S is any set 
then any subset A C S can be characterised by a function f A : S — > {T, F} 
defined by: 

Vs G S. f A (s) = T «sg4 

f A is called the characteristic function of A. Thus a relation R C ( X x Y) 
can be characterised by its characteristic function f R defined by: 

Wx EX.Vye Y. f R (x,y) = T ^ (x,y) G R 

where f R : (X x Y) — > {T, F}. If the set of functions from set S to set T is 
denoted by (S — > T) and Bool is the set {T, F}, then / k g((IxF)4 Bool). 
You may recall from earlier courses (e.g. on ML) that functions that take two 
or more arguments can be ‘curried’ so that they take the arguments one at 
a time. If we curry f R we get a function fff rried defined by: 

X y - f R (x, y) 

and then f^ned . x (Y Bool ) or f™ rried : X Y -4 Bool if we 
assume the standard convention that —> associates to the right. Note that 
we also have /™ rHed G V(X —t>Y—t Bool). 

To sum up, a relation R can be represented by a set of pairs, by a charac¬ 
teristic function that maps pairs to Booleans, or by the curried characteristic 
function. For a somewhat arbitrary mixture of historical and stylistic rea¬ 
sons, we are going to use the curried characteristic function representation of 
relations to represent the semantics of commands. Specifically, we are going 
to define Csem C si s 2 to mean that if command C is started in state Si 
then it can terminate in state s 2 . Here Csem C is the relation that represents 
the semantics of (7, represented as a curried characteristic function. The 
set of commands in our language will be denoted by Com and the set of 
states will be denoted by State. Thus Csem C : State —>• State —>• Bool or 
Csem : Com —>• State —> State —> Bool. As mentioned earlier, the choice of 
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representing Csem C as a curried characteristic function, rather than as a set 
of ordered pairs, is more a matter of style than substance. 

Let Var be the set of variables that are allowed in statements, expressions 
and commands and Val be the set of values that variables can take. It is not 
necessary to be specific about what variables and values actually are: Var 
could be, for example, the set of finite strings of ASCII characters and Val 
could be the set of integers. A state determines the value of each variable 
and, in addition, may contain other information. For our little programming 
language it is sufficient to take the state to be a function from Var to Val. 
Using the notation A —>• B to denote the set of functions with domain A and 
range (codomain) B we define the set State of states by: 

State = Var —>• Val 

Note that the following are all equivalent s € State, s e (Var —>• Val) and 
s : Var —>• Val. I will sometimes use s(v) and sometimes s v for the value 
associated with variable v in state s (i.e. the application of the function 
representing the state s to v). Although in this chapter it is sufficient to 
represent states as functions from variables to values, in Chapter 7 we will 
need to add another components to the state to represents the contents of 
pointers. We will extend the definition of State in that chapter. Particular 
states can be defined using A-notation. For example, the state that maps X 
to 1, Y to 2 and everything else to 0 is defined by: 

Xv. ifv=X then 1 else (ifv =Y then 2 else 0) 

If s G State, v e Var and n e Val then s [n/r] denotes that state that is 
the same as s, except for the value of variable v is ‘updated’ to be n. Thus 
s[n/v~\ is given by the equation: 

s ln/vl = Xv'. ifv' — v then n else s(v') (where v 1 is a new variable) 

Example: 

(Xv. ifv—X then 1 else (ifv— Y then 2 else 0)) [3/Z] = 

Xv. ifv—X then 1 else (ifv— Y then 2 else (ifv— Z then 3 else 0)) 

4.1.1 Semantics of expressions and statements 

Commands may contain expressions or statements: expressions occur on the 
right hand side of assignments and statements occur in the tests of condi¬ 
tionals and WHILE-commands. The precondition and postcondition of Hoare 
triples are also statements. The classical treatment of Hoare logic was built 
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upon first order logic, expressions were taken to be terms of logic and state¬ 
ments to be formulae. You will be familiar with the semantics of first order 
logic from earlier courses and I do not want to repeat that material here. 
Furthermore, in modern applications, the language used for writing precon¬ 
ditions and postconditions is now sometimes weaker or stronger than first 
order logic, e.g. quantifier free logic (weaker) or higher order logic (stronger). 

To avoid the details of particular logics and their semantics we will assume 
that we are given sets Exp and Sta of expressions and statements, together 
with semantic functions Esem and Ssem defining their semantics, where: 

Esem : Exp — y State —» Vai 
Ssem : Sta — > State — > Bool 

We now give some informal discussion and examples to illustrate how Esem 
and Ssem might be defined for particular logics (i.e. for particular Exp and 
Sta) . We hope it will be clear from this how a more formal treatment would 
go. In the usual logic terminology (e.g. as used in the IB Tripos course Logic 
and Proof ) we are using states to represent interpretation functions and Vai 
as the domain or universe. Variables are interpreted by looking them up in 
the state: 

Esem Xs = s(X) 

Constants get their usual mathematical or logical meaning: 

Esem 3 s = 3 
Ssem T s = T 

Compound expressions or statements are interpreted bottom up: the (re¬ 
cursively computed) value of sub-expressions is combined using appropriate 
mathematical or logical operators to get the interpretation of the whole ex¬ 
pression. For example: 

Esem (-E) s = —(Esem E s) 

Esem (Ei + E 2 ) s = (Esem Ei s } *f (Esem E 2 s ) 

Ssem (-i S) s — -<(Ssem S s) 

Ssem (Si < S 2 ) s = (Ssem S x s) < (Ssem S 2 s ) 

where the symbols “+”, u ~>” and “<” on the left hand side of these 

equations are part of the syntax of statements (i.e. part of the object lan¬ 
guage) and those on the right hand side are informal mathematical notation 
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(i.e. part of our metalanguage). This is a subtle point worth pondering! 
Quantifiers (which may occur in preconditions and postconditions, but prob¬ 
ably not in tests in commands) are interpreted in the standard way: 

Ssem (Vu. S) s = Mn Ssem S (sln/v~\) 

Ssem (3u. S) s = 3n. Ssem S (sln/vl) 

Example: 

Ssem (Y<Z+3) (Av. ifv=X then 1 else (ifv= Y then 2 else 0)) = (2<0+3) 

I hope this is sufficient explanation of Esem and Ssem for what follows. Note 
that for any E e Exp and S e Sta it is the case that: 

Esem E : State —>■ Val 
Ssem S : State —> Bool 

4.1.2 Semantics of commands 

Csem C s\ s 2 will be defined recursively bottom up. The only commands 
that don’t contain sub-commands are assignments. After an assignment the 
final state s 2 is equal to the initial state with the variable V on the left hand 
side of the assignment updated to have the value of the expression E on the 
right hand side of the assignment in the initial state. 


| Csem ( V\=E) s\ s 2 = (s 2 = si[(Esem E si)/V1) 


A final state s 2 can be reached by executing a sequence C\ ; C 2 starting in 
an initial state s\ iff there is an intermediate state s reachable by executing 
Ci in si and s 2 is reachable from this intermediate state by executing C 2 . 


| Csem {Ci\C 2 ) si s 2 = 3s. Csem C\ Sj s A Csem C 2 s s 2 


If S is true in a state Si then state s 2 can be reached by executing the 
conditional IF S THEN C\ ELSE C 2 starting in Si iff s 2 can be reached by ex¬ 
ecuting the THEN-branch C\ starting in si. However, if S is false in a state 
Si then state s 2 can be reached by executing conditional starting in si iff s 2 
can be reached by executing the ELSE-branch C 2 starting in sp 


Csem (IF S THEN C\ ELSE C 2 ) s : s 2 = 
if Ssem S si then Csem C\ si s 2 else Csem C 2 si s 2 
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If final state s 2 can be reached from initial state ,s i by executing 
WHILE S DO (7, then there must be some finite number of iterations of C that 
will reach s 2 , S must be true in all the intermediate states and false in s 2 . 
This is formalised by defining a function Iter that iterates a finite number of 
times and then defining: 

| Csem (WHILE S DO C) s\ s 2 = 3n. Iter n (Ssem S) (Csem C ) s\ s 2 j 

The function Iter is defined by recursion on n as follows: 

Iter 0 p c si s 2 = -i (p si) A (si=s 2 ) 

Iter (n+1) p c si s 2 — p si A 3s. c si s A Iter n p c s s 2 
The hrst argument n of Iter is the number of iterations. The second argument 
p is a predicate on states (e.g. Ssem S). The third argument c is a curried 
characteristic function (e.g. Csem C). The fourth and fifth arguments are 
the initial and final states, respectively. If Num is the set of natural numbers 
{0,1 , 2 ,.. .}, then: 

Iter : Num^ ( State—t Bool) (St ate^ Stated Bool) ^ Stated St ate—^ Bool 


4.2 Soundness of Hoare logic 

The meaning of a Hoare triple {P} C {Q} is defined to be Hsem P C Q 
where: 


| Hsem P C Q = Vsi s 2 . Ssem P si A Csem C s\ s 2 =»- Ssem Q s 2 | 

This definition can be used to formulate the soundness of Hoare logic. To do 
this we must prove that all instances of the assignment axiom are true, and 
that all conclusions deduced using inference rules are true if the hypotheses 
are true. Recall the assignment axiom: 

The assignment axiom 

b {PIE/VI} V:=E {P} 

Where V is any variable, E is any expression, P is any statement and 
the notation P[E/V~\ denotes the result of substituting the term E for 
all occurrences of the variable V in the statement P. 
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To prove this sound we must show that for every V, E and P: 

Hsem {PIE/VI) (V :=E) P 
Unfolding the definition of Hsem converts this to: 

Vsi .s’ 2 . Ssem (PIE/VI) Sj A Csem (V:=E) si s 2 => Ssem P s 2 
Unfolding the definition of Csem converts this to: 

Vsi s 2 . Ssem ( P IE/VI) s% A (s 2 = S\ [(Esem E si)/U]) => Ssem P s 2 
which simplifies to: 

Vsi. Ssem (P\_E/V\) Sl => Ssem P (si[(Esem E Sl )/U]) 

This may appear confusing since it uses the notation [•••/•••] with dif¬ 
ferent meanings in the antecedent (the left argument of =>) and consequent 
(the right argument). In the antecedent, PIE/VI denotes the result of sub¬ 
stituting the expression E for the variable V in the statement P. In the 
consequent Si [(Esem E Si)/V] denotes the state obtained by updating si 
so that the value of V is the value of E in si (and the values of all other 
variables are unchanged). 

Diversion on substitution. 

We have avoided specifying in detail exactly what the syntax of expressions 
and statements is, so it is not possible to prove general properties about 
them. However, for any reasonable definitions we would expect that: 

Ssem (PIE/VI) s = Ssem P (s[(Esem E s)/V]) 

For example, take P to be X+Y>Z, E to be X+l and V to be Y, then the 
equation above becomes: 

Ssem ((X+Y>Z)[(X+1)/Y]) s = Ssem (X+Y>Z) (s[(Esem (X+l) s)/Y]) 
Now Esem (X+l) s = s(X)+l so the equation above becomes: 

Ssem ((X+Y>Z) [(X+l)/Y]) s = Ssem (X+Y>Z) (s[(s(X)+l)/Y]) 
Evaluating the substitution on the left hand side reduces this to: 

Ssem (X+(X+1)>Z) s = Ssem (X+Y>Z) (s[(s(X)+l)/Y]) 

Evaluating the Ssem gives: 

( S (X) + ( S (X)+1)>S(Z)) = 

((»t(s(X)+l)/Y] )(X)+(s t(s(X)+l)/Y] )(Y)>(s [(s(X) + l)/Y] )(Z)) 
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Using the definition of s [n/u], and assuming X, Y and Z are distinct, enables 
the right hand side of this equation to be simplified, to give: 

(s(X)+(s(X)+l)>s(Z)) = (s(X)+(s(X)+l)>s(Z)) 

This is clearly true as the left and right hand sides are identical. 

Although this is just an example, it illustrates why for all S, E, V and s 
it is the case that: Ssem (S[E/V~\) s = Ssem S (s[(Esem E s)/Vl) 

In fact, if this equation did not hold then one would have a bad defi¬ 
nition of substitution - indeed this equation can be taken as the semantic 
specification of substitution! 

End of diversion on substitution. 

Returning to the soundness of the assignment axiom, recall that it was 
equivalent to the following holding for all P, E and V: 

Vs v Ssem (PIE/VI) s t Ssem P (si[(Esem E Si)/U]) 

If the equation for substitution motivated in the diversion above holds, then 
this implication holds too, since for any statements P and Q, if P = Q then 
it follows that P =>• Q. 

Thus, assuming the semantic substitution equation discussed above, we have 
shown that the assignment axiom is sound. 

The soundness of the Hoare logic rules of inference is almost trivial except 
for the WHILE-rule, and even that is fairly straightforward. We will restate 
the rules and then outline the proof of their soundness. 

Precondition strengthening 

b P =* P', b { P '} C {Q} 
b {P} C {Q} 

This rule is sound if the following is true for all P, P ', C and Q: 

(Vs. Ssem P s => Ssem P 1 s) A Hsem P’ C Q => Hsem P C Q 
which, after expanding the definition of Hsem, becomes: 

(Vs. Ssem P s => Ssem P' s) A 

(Vsi s 2 . Ssem P' s\ A Csem (7 si s 2 =t Ssem Q s 2 ) 

Vsi s 2 . Ssem P si A Csem C si s 2 =>• Ssem Q s 2 
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This is an instance of the statement below if we take p, p', q, c to be Ssem P 
Ssem P', Ssem Q, Csem C, respectively. 

(Vs. p s =>• p' s) A (Vsi s 2 . p' Si A c Si s 2 =F q s 2 ) 

Vsi s 2 . p Si A c Si s 2 =>• q s 2 
This is clearly true. 

Postcondition weakening 

b {P}C{Q'}, b Q'^Q 

F W c {<?} 

This is sound by a similar argument. 

Specification conjunction 

I- {Pi} C {0!}, I- {P 2 } C {g 2 } 

I- {P i A P 2 } C {C'l A Q 2 } 

Specification disjunction 

I- {Pi} c {0!}, P {P 2 } C {Q 2 } 

P {Pi VP,} C {QiVQ 2 } 

This is sound by a similar argument. 

The sequencing rule 

b {P} C, {Q}, b {Q} C 2 {R} 
b {P}C i; C 2 {R} 

This rule is sound if the following is true for all P, Q, R , C\ and C 2 : 

Hsem P C'l Q A Hsem Q C 2 R =► Hsem P (<7 i; <7 2 ) P 
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which, after expanding the definition of Hsem, becomes: 

fVsi s 2 . Ssem P si A Csem C si s 2 =>• Ssem Q s 2 l A 
(Vsi s 2 . Ssem Q si A Csem C si s 2 => Ssem P s 2 ) 

=>• 

Vsi s 2 . Ssem Psj A Csem (Ci;C 2 ) «i «2 =>• Ssem R s 2 
This is an instance of the statement below if we unfold the definition of 
Csem (C11C2) and take p, q, r, ci, c 2 to be Ssem P, Ssem Q , Ssem P, 
Csem Ci, Csem C 2 , respectively. 

(Vsi s 2 . p A ci si s 2 g s 2 ) A (Vsi s 2 . g Si A c 2 Si s 2 =t r s 2 ) 

Vsi s 2 . p si A (3s. ci si s A c 2 s s 2 ) =>• r s 2 
This is clearly true. 

The conditional rule 

b {PAS} Ci {Q}, {PA^S}C 2 {Q} 

h {P} IF S' THEN Ci ELSE C 2 {Q} 


A similar argument to the one for the sequencing rule shows the conditional 
rule to be sound. 


The WHILE-rule 

b {PAP} C {P} 
b {P} WHILE S DO C {P A S} 


This rule is sound if the following is true for all P, S and C : 

Hsem (P A S) C P =» Hsem P (WHILE S DO C) (P A -.£)) 
which, after expanding the dehnition of Hsem, becomes: 

(Vsi s 2 . Ssem (P A P) si A Csem C si s 2 Ssem P s 2 ) 

=7 > 

Vsi s 2 . Ssem Psi A Csem (WHILE P DO C) s\ s 2 Ssem (P A -iP) s 2 
Using the equations Ssem (P A Q) Si = Ssem P sj A Ssem Q si and 
Ssem (P A -iQ) s 2 = Ssem P s 2 A ->(Ssem Q si) and expanding the deh¬ 
nition of Hsem (WHILE P DO C) converts this to: 
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(Vsi s 2 . Ssem P si A Ssem S si A Csem C si s 2 =t Ssem P si 

Vsi s 2 . Ssem P si A (3n. Iter n (Ssem S) (Csem C) s\ s 2 ) 

=$■ 

Ssem Ps 2 A -i(Ssem S s 2 ) 

This is an instance of the statement below if we take p, b , c to be Ssem P, 
Ssem S', Csem (7, respectively. 

(Vsi s 2 . p Si A b Si A c Si s 2 =>• p si) 

=>• 

Vsi s 2 . p si A (3n. Iter n b c si s 2 ) p s 2 A ->(6 s 2 ) 
which is equivalent to: 

(Vsi s 2 . p si A b si A c si s 2 => p si) 

Vn si s 2 . p si A Iter n b c si s 2 =>• p s 2 A -<(6 s 2 ) 

To prove this, assume the antecedent and show the consequent by induction 
of n. The basis (n = 0 case) is clearly true as ‘false implies everything’. For 
the induction step assume: 

1. Vsi s 2 . p Si A b Si A c Si s 2 =>• p Si (Hoare rule hypothesis) 

2. Vsi s 2 . p si A Iter n b c si s 2 =>• p s 2 A -i(6 s 2 ) (induction hypothesis) 
From these we must show the induction conclusion: 

p Si A Iter (n+1) b c si s 2 =>• p s 2 A -i(6 s 2 ) 

Using the recursive dehnition of Iter (n+1) converts this to: 

p Si A (b Si A 3s. c Si s A Iter nb c s s 2 ) ^ p s 2 A -i(6 s 2 ) 
which with a bit of quantiher fiddling is equivalent to: 

p Si A b Si A c Si s A Iter n b c s s 2 ^ p s 2 A -i(6 s 2 ) 

Which follows from the Hoare rule hypothesis and the induction hypothesis 
(i.e. 1 and 2 above) by a bit of implication chaining. 

4.3 Decidability and completeness 

{T}C'{F} is true if and only if C does not terminate, therefore, since the 
halting problem is undecidable, so is Hoare logic. 

Soundness is that any Hoare triple that can be deduced using the ax¬ 
ioms and rules of inference of Hoare logic is true. The converse, complete¬ 
ness, would be that any true Hoare triple could be deduced using the ax¬ 
ioms and rules of Hoare logic. Unfortunately, this cannot hold in general. 
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Consider {T} X:=X{P}. According to the semantics above, this is true iff 
Hsem T (X: =X) P is true, i.e.: 

Vsi s 2 . Ssem T si A Csem (X:=X) si s 2 => Ssem P s 2 
Since Csem (X:=X) si s 2 = (s 2 = «i) and Ssem T si = T this reduces to: 

Vsi s 2 . T A (s 2 = Si) => Ssem P s 2 

which, by specialising si and s 2 to s, simplifies to Vs. Ssem P s - i.e. P 
is true. Thus if we could deduce any true Hoare triple using Hoare logic 
then we would be able to deduce any true statement of the specification 
language using Hoare logic! Most logics suitable for specifying programs are 
incomplete (e.g. first order arithmetic), so Hoare logic cannot be complete. 

However the kind of completeness just described above is only impossible 
due to the incompleteness of the specification language used for precondi¬ 
tions and postconditions. If we separate the ‘programming logic’ from the 
‘specification logic’, then it is possible to formulate a sort of completeness, 
called relative completeness [6], that provides some reassurance that Hoare 
logic is adequate for reasoning about the small collection of simple commands 
we have discussed - i.e. there are no ‘missing’ axioms or rules. It turns out, 
however, that even this limited kind of completeness may be impossible for 
constructs found in many real languages (but not in our ‘toy’ language) [5]. 

We will not attempt to explain the exact details of Cook’s and others’ 
work on relative completeness, as both the technical logical issues and also 
their intuitive interpretation are quite subtle [1, 16]. Furthermore doing this 
would require us to be more precise than we wish about the syntax, seman¬ 
tics and proof theory of the specification language in which preconditions and 
postconditions are expressed. We will, however, sketch the key ideas. A con¬ 
cept that is used in proving relative completeness is the weakest precondition. 
This concept is not only useful for its role in showing relative completeness, 
it also has practical applications, including providing an improved approach 
to verification conditions (which we discuss later) and as the foundation for 
theories of program refinement. 

4.3.1 Relative completeness 

We are going to explain the idea of relative completeness and also show 
that it holds for our little programming language by using weakest liberal 
preconditions. However, we will put off the detailed definition and analysis 
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of these until Section 4.3.2. In this section we say just enough about what 
they are and what properties they have (Pi, P 2 and P 3 below) so that we 
can explain relative completeness. 

For each command C and statement Q we assume there is a statement 
wlp (C ,Q) - intuitively the weakest precondition such that ensures Q holds 
after executing C - with the property that: 

b {wlp (C,Q)}C{Q} (Pi) 

The existence of the statement wlp ((7,(5) in the specification language de¬ 
pends on the specification language being strong enough. A language strong 
enough to enable wlp ((7,(5) to be defined is called expressive. 

The operator wlp constructs a statement, which is a sentence in a formal 
language, from a command and another statement. Thus wlp constructs a 
syntactic thing (a statement) from other syntactic things (a command and 
a statement). We also assume a semantic counterpart to wlp called Wlp 
which operates on the meanings of commands (functions representing binary 
relations on states) and the meanings of statements (predicates on states). 
Wlp is a curried function: 

Wlp : (State —»• State -» Bool ) — (State —>• Bool ) — > State — > Bool 

we assume the following property connecting wlp and Wlp for all commands 
(7 and statements Q: 

Ssem (wlpCC'.Q)) = Wlp (Csem (7)(Ssem Q) (P 2 ) 

Notice that this is an equation between predicates. We also assume: 

Hsem P C Q = Vs. Ssem P s => Wlp (Csem C ) (Ssem Q) s (P 3 ) 

The shape of the relative completeness proof can now be sketched. As¬ 
sume {P} C {Q} is true, i.e. Hsem P C Q is true. We will show that the 
statement P =>• wlp (C ,Q) must also be true - assume this for now. If we 
could prove this true statement, i.e. had h P =>- wlp (C, Q ), then by precon¬ 
dition strengthening and the property Pi it would follow that h {P} C {Q} 
by Hoare logic. Thus Hoare logic is complete relative to the existence of an 
oracle for proving any true statement of the form P =>• wlp (C, Q). 

To summarise: relative completeness says that if wlp (C ,Q) is expressible 
in the specification language and if there is an oracle to prove true statements 
of the form P vilpiC ,Q), then any true Hoare triple {P} C {Q} can be 
proved using Hoare logic. 
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We now run through the relative completeness argument again, but in a 
bit more detail, showing how assumptions P 2 and P 3 are used. Recall: 

Ssem (wlpCCbQ)) = Wlp (Csem C')(Ssem Q) (P 2 ) 

Hsem P C Q = Vs. Ssem P s => Wlp (Csem C) (Ssem Q ) s (P 3 ) 

Assume for any C and Q that wlp (C, Q) is expressible in the specihcation 
language and also that for any P, C and Q there is an oracle to prove true 
statements of the form P =>- wlpCCbQ) - i.e. if Vs. Ssem ( P => wlp( C,Q)) s 
(statement true) then the oracle gives wlp(C ,Q) (statement proved). 

The Hoare triple {P} C {Q} being true means, according to our seman¬ 
tics, that Hsem P C Q is true. If this is true, then by P 3 assumed above: 

Vs. Ssem P s Wlp (Csem C) (Ssem Q ) s 
and then by assumed property P 2 : 

Vs. Ssem Ps4 Ssem (wlpCC.Q)) s 

Although we have not completely defined the specihcation language, we as¬ 
sume at least that it contains an infix symbol =>• whose meaning is logical 
implication, so that from the statement above we can deduce: 

Vs. Ssem (P wlp (C,Q)) s 

i.e. the statement P => wlp(C ,Q) is true. Now we use the assumed oracle 
for formulae of this form to prove h P =^- wlp(C ,Q) and hence by assumed 
property Pi and precondition strengthening, we can prove h {P} C {Q}. 

To complete the outline above we must define wlp and Wlp and prove 
the properties Pi, P 2 and P 3 . The axioms and rules of Hoare logic will be 
used to prove Pi, and it is the fact that they can prove this that is really the 
essence of their completeness. 

4.3.2 Syntactic and semantic weakest preconditions 

If P Q we say that P is stronger than Q and, dually, that Q is weaker 
than P. The weakest precondition of a command C with respect to a 
postcondition Q is the weakest predicate, denoted by wp(C',Q), such that 
[wpCC'.Q)] C IQ]. Notice that this is related to total correctness. The 
partial correctness concept is called the weakest liberal precondition and is 
denoted by wlpCC.Q): the statement wlp(C',Q) is the weakest predicate 
such that {wlpCC ,Q)} C {Q}. In this chapter we only use weakest liberal 
preconditions. Their key properties are Pi, i.e. h {wlp (C,Q)} C {Q} and 
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for all P that {P} C {Q} => (P => wlpCC'.Q))- These properties can be 
expressed more concisely as the single equation: 

{P}C{Q} = (P => wlpCC'.Q)) 

This equation is easily seen to be equivalent to the key properties just men¬ 
tioned using the rule of precondition strengthening and the reflexivity of =t. 

If the specification language - i.e. the language of preconditions and post¬ 
conditions - is strong enough to express the weakest liberal precondition for 
all commands C and postconditions Q then it is said to be expressive. Since 
we haven’t said what the specification language is we cannot say much about 
expressiveness. 

We can define the semantic operator Wlp on predicates via our semantics; 
this is an example of a predicate transformer [7]. 

Wlp c q = As. Vs', c s s' => q s' 

Recall the definition of Hsem: 

Hsem P C Q = Vsi s 2 . Ssem P si A Csem C si s 2 Ssem Q s 2 
We can easily prove property P 3 , namely: 

Hsem P C Q = Vs. Ssem P s => Wlp (Csem P ) (Ssem Q) s 

P 3 follows from the definitions of Hsem and Wlp by taking p, c and q to be 
Ssem P, Csem C and Ssem Q, respectively, in the logical truth below. 

(Vsi s 2 . p Si A c Si s 2 =>• q s 2 ) = (Vs. ps4 (As. Vs', c s s' =>• q s') s) 

To prove P 3 and P 2 we need the following equations, which follow from the 
definition of Wlp. 

Wlp (Csem {V:=E)) q 
= As. g(s[( Esem E s)/V]) 

Wlp (Csem(G'i ;6 Y 2 )) q 
= As. Wlp (Csem Ci) (Wlp (Csem C 2 ) q) s 

Wlp (Csem(lF S THEN C x ELSE C 2 )) q 
= As. if Ssem S s then Wlp (Csem Cf) q s else Wlp (Csem C 2 ) q s 

Wlp (Csem(WHILE S DO C)) q 
= As. Vn. IterWIp n (Ssem S) (Csem C) q s 
where IterWIp 0 p c q s = ->(p s) =>• q s 

IterWIp (n+ 1) p c q s = p s => Wlp c (IterWIp n p c q) s 
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We prove the equation for WHILE-commands. Expanding the definitions of 
Wlp and Csem yields: 

(As. Vs'. (3n. Iter n (Ssem S) (Csem C) s s') s s' ^ q s') 

= As. Vn. IterWIp n (Ssem S) (Csem C) q s 
Thus it is sufficient to prove that: 

Vs. (Vn s'. Iter n p c s s' => q s') = Vn. IterWIp n p c q s 
which follows from: 

Vn s. (Vs'. Iter n p c s s' =>• q s') = IterWIp n p c q s 
which is equivalent to: 

Vn s. Wlp (Iter n p c) q s = IterWIp n p c q s 
We prove this by induction on n. First recall the definitions: 

Iter 0 p c si s 2 = ~>(p si) A (si=s 2 ) 

Iter (n+1) p c Si s 2 = p Si A 3s. c si s A Iter n p c s s 2 

IterWIp Opcg = As. -i(p s)=^gs 

IterWIp (n+1) p c q — As. p s => Wlp c (IterWIp n p c q) s 

Basis. 

The n = 0 case is Wlp (Iter 0 p c) q s = IterWIp 0 p c q s which unfolds to 
(Vs', -i (p s) A(s — s') + g s') = -i (p s) => q s which is true. 

Step. 

The induction hypothesis is Vs. Wlp (Iter n p c) q s = IterWIp n p c q s. 
From this we must show Wlp (Iter (n+1) p c) q s = IterWIp (n+1) p c q s. 
This unfolds to: 

Wlp (Asi s 2 . p Si A 3s. c Si s A Iter n p c s s 2 ) q s 
= p s => Wlp c (IterWIp n p c q) s 
Unfolding Wlp turns this into: 

(As. Vs'. (Asi s 2 . p si A 3s. c si s A Iter n p c s s 2 ) s s' => q s') s 
= p s => (As. Vs', c s s' => (IterWIp n p c q) s') s 
which reduces to: 

(Vs', p s A (3s". css" A Iter n p c s" s') => q s') 

= p s => Vs", c s s" => IterWIp n p c q s" 

Using the induction hypothesis on the RHS converts this to: 

(Vs', p s A (3s". css" A Iter n p c s" s') => q s') 

= p s => Vs", c s s" =>■ Wlp (Iter n p c) q s" 
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Unfolding Wlp: 

(Vs', p s A (3s". css" A Iter n p c s" s') => q s') 

= p s =>• Vs", c s s" =>• (As. Vs'. (Iter n p c) s s' ^ q s') s" 

which reduces to: 

(Vs', p s A (3s". css" A Iter n p c s" s') =>• q s') 

= ps Vs", c s s" =>• Vs'. Iter n p c s" s' ^ q s' 

which is true via a bit of quantifier manipulation. Thus we have proved: 
Wlp (Csem(WHILE S DO C)) q = As. Vn. IterWIp n (Ssem S) (Csem C) q s 

4.3.3 Syntactic preconditions and expressibility 

We now discuss how to define statements wlp (C ,Q) with properties Pi and 
P 2 , namely: 

I {wlp (C,Q)}C{Q> (Pi) 

Ssem (wlp((7,(3)) = Wlp (Csem (7) (Ssem Q) (P 2 ) 

Note that wlp operates on syntactic things (commands and statements), 
whereas Wlp operates on semantic things (mathematical functions on states 
representing the meaning of commands and statements). 

We will define wlp((7,(3) recursively on (7 and justify Pi and P 2 by 
structural induction on (7. The cases when (7 is an assignment, sequence or 
conditional are straightforward. 

I wipgjgljjgl =QiEm } 

If (7 is V: =E then Pi is just the assignment axiom and by the equation for 
Wlp (Csem (V:=E)) (Ssem Q) discussed on page 63, P 2 is the equation: 

Ssem (QIE/VI) s - Ssem Q (s[(Esem E s)/U]) 
which was justified in the “Diversion on substitution” on page 55. 

| wlp((Ci;C 2 ),Q) =wlp(Ci,wlp(C 2 ,Q)) 1 

Assume Pi and P 2 hold for (7i and (7 2 for arbitrary Q. Then: 

I {wlp((7 2 ,(3)} (7 2 {Q} 
h {wlp(Ci, (wlp(C 2 , Q) ))} Ci {(wlp(C 2 , Q) )} 
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hence Pi by the sequencing rule. To show P 2 when C is Ci; C 2 note that P 2 
in this case is: 

Ssem (wlp (6"i, wlp (C 2 ,Q))) 

= Wlp (Asi s 2 . 3s. Csem C'i si s A Csem C 2 s s 2 )(Ssem Q ) 

= Asi. Vs 2 . (3s. Csem Ci si s A Csem C 2 s s 2 ) => Ssem Q s 2 
= Asi. Vs s 2 . (Csem C'i si s A Csem C 2 s s 2 ) =>• Ssem Q s 2 

Expanding the LHS using induction twice with P 2 instantiated with C as C'i 
and Q as wlp(C 2 ,Q) and also with C as C 2 and Q just as Q gives: 

Wlp (Csem Ci) (Wlp (Csem C 2 ) (Ssem Q)) 

= Asi. Vs s 2 . (Csem Ci si s A Csem C 2 s s 2 ) Ssem Q s 2 

Expanding the LHS using the definition of Wlp then gives: 

Asi. Vs. Csem Ci si s Vs 2 . Csem C 2 s s 2 => Ssem Q s 2 
= Asi. Vs s 2 . (Csem Ci si s A Csem C 2 s s 2 ) => Ssem Q s 2 

which is true. 


| wlp((lF S THEN Ci ELSE C 2 ) ,Q) = (gAwlpCCi ,Q))V(-.,SA(wlp(C 2) Q)) | 


Note that (S' A Si) V (->S A S 2 ) means if S then Si else S 2 . The former is 
used to emphasis that all we are assuming about the specification language 
is the existence of Boolean operators A and V. Note that by Boolean 
algebra and the definition of wlp ((IF S THEN Ci ELSE C 2 ) ,Q): 

S A wlp ((IF S THEN Ci ELSE C 2 ) ,Q) = S Awlp(Ci,Q) 

-iS A wlp ((IF S THEN Ci ELSEC 2 ),Q) = ^S Awlp(C 2 ,Q) 

By induction, Pi for Ci and C 2 and precondition strengthening: 

{SAwlp(Ci,Q)}Ci{Q} 

{-SAwlp(C 2 ,g)}C 2 {Q} 

Hence by the conditional rule, substituting with the equations above: 

{wlp((IF S THEN Ci ELSE C 2 ) ,Q)} IF S THEN Ci ELSE C 2 {Q} 
which is Pi for conditionals. Property P 2 is: 

Ssem ((S A wlp(Ci.Q)) V (-S A (wlp(C 2 ,Q))) 

= Wlp (Csem (IF S THEN Ci ELSE C 2 ))(Ssem Q) 

Expanding the RHS of this equation: 
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Ssem ((S' A wlp(Ci,Q)) V (-5 A (wlp(C 2 ,Q))) 

= Wlp 

(Asi s 2 . if Ssem S Si then Csem C\ S\ s 2 else Csem C 2 Si s 2 ) 

(Ssem Q) 

= Wlp 

(Asi s 2 . (Ssem S s\ A Csem Ci si s 2 ) V (-6sem S si A Csem C 2 si s 2 )) 
(Ssem Q) 

= \s\. 

Ms 2 . (Ssem S si A Csem C\ si s 2 ) V (-6sem S si A Csem C 2 si s 2 ) 
Ssem Q s 2 

Now we expand the LHS: 

Ssem ((5 A wlp(Ci,Q)) V (-.S' A (wlp(C 2 ,Q))) 

= Asi. (Ssem S si A Ssem (wlp(Ci ,Q)) si) 

V 

(->Ssem S si A Ssem (wlp(C 2 ,Q)) «i) 

= Asi. (Ssem S s x A Wlp (Csem Ci) (Ssem Q) s x ) 

V 

(-■Ssem S' si A Wlp (Csem C 2 ) (Ssem Q) si) 

= Asi. (Ssem S si A (As. Vs'. Csem Ci s s' =>• Ssem Q s') si) 

V 

(-■Ssem S si A (As. Vs'. Csem C 2 s s' =>• Ssem Q s') si) 

= Asi. (Ssem S si A Vs'. Csem Ci si s' =>• Ssem Q s') 

V 

(-■Ssem S' si A Vs'. Csem C 2 si s' =>■ Ssem Q s') 

Combining simplified LHS and RHS equations: 

Asi. (Ssem S si A Vs'. Csem Ci si s' =>• Ssem Q s') 

V 

(-■Ssem S si A Vs'. Csem C 2 si s' =>• Ssem Q s') 

= Asi. 

Vs 2 . (Ssem S si A Csem Ci si s 2 ) V (->Ssem S' si A Csem C 2 si s 2 ) 
Ssem Q s 2 

which is true. Thus P 2 holds for conditionals. 

We are now left with defining wlp((WHILE S DO C) ,Q) so that Pi and 
P 2 hold. This is trickier than the previous cases. Notice that when defin¬ 
ing wlp (C ,Q) for assignments we just needed the specification language 
to allow textual substitution of expressions for variables and for condi¬ 
tionals we just needed the specification language to allow Boolean com¬ 
binations of statements. The usual specification language when relative 
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completeness is discussed is first order arithmetic. It is possible to define 
wlp((WHILE S DO C),Q ) for this language, but the details are fiddly. An ex¬ 
cellent account can be found in Glynn Winskel’s textbook [24, Chapter 7]. 
We shall instead assume more powerful features than are necessary in order 
to get a straightforward representation of WHILE-loop weakest preconditions. 
Specifically, we assume infinite conjunctions are allowed. What this means 
is that if we have an infinite family of statements, say S n for each natural 
number n, then we allow an Infinite’ formula /\ n. S n which means S n is 
true for every n e Num, i.e. S 0 A Si A S 2 ■ ■ ■ A S n A ■ ■ ■. Infinite conjunctions 
enable us to mimic the semantic definition in the specification language. The 
semantics definition is: 

Wlp (Csem(WHILE S DO C)) q 
= As. Vn. IterWIp n (Ssem S ) (Csem C ) s 
where IterWIp 0 p c q = As. ->(p s) q s 

IterWIp (n+ 1) p c q = As. p s =£► Wlp c (IterWIp n p c q) s 
the definition below in the specification language mimics this: 
wlp ((WHILE S DO C),Q) 

= f\n. iterwlp n S C Q 
where iterwlp 0 S C Q — (-> S =>- Q) 

iterwlp (n+ 1) S C Q — (S => wlp(C,(iterwlp n S C Q ))) 
Thus wlp ((WHILE S DO C) ,Q) = iterwlp 0 S C Q A iterwlp 1 S C Q ■ ■ ■ 
so in terms of the discussion of infinite conjunction above, we are taking 
S n to be iterwlp n S C Q. In Winskel’s book it is shown how Godel’s 
/3-function 1 can be used to build a finite first order formula expressing 
wlp ((WHILE S DO C) ,Q), so infinite conjunctions are not needed. However, 
we use the infinite formula above since it makes verifying Pi and P 2 straight¬ 
forward. 

To show Pi, i.e. I {wlp((WHILE S DO C) ,Q)} WHILE S DO C {Q}, it is 
sufficient to find an invariant R (perhaps provided by an annotation) such 
that: 

b wlp (WHILE S DO C ,Q) R 
I RA^S^Q 
b {R A S} C{R} 

Pi will then follow by the WHILE-rule and consequence rules. In fact taking 
R to be wlp (WHILE S DO C ,Q) will work! The first of the three conditions 

^ttp://planetmath.org/encyclopedia/GodelsBetaFunction.html 
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above is trivial. The second is almost trivial: iterwlp 0 S C Q is ->S =>- Q, 
so b (/\ n. iterwlp n S C Q) =$■ (->S => Q), hence: 

b (/\n. iterwlp n S C Q) A ->S => Q 
i.e.: 

b wlp(WHILE S DO C,Q) A —iS =>• Q 
For the third property we have by induction, for arbitrary n: 

b {wlp (C, iterwlp n S C Q)} C {iterwlp n S C Q} 

Hence by the definition of iterwlp and precondition strengthening: 

b {(iterwlp (n+1) S C Q) A S} C {iterwlp n S C Q} 

Applying the rule of specification conjunction infinitely many times: 
b {/\ n. (iterwlp (n+1) S C Q) A S} C {/\n. iterwlp n S C Q} 

In general b (/\ n. S n ) => (/\ n. S n+ 1 ) for any infinite set of statements 
S 0 , S i, ... since the set of statements being conjoined in the consequent of 
the implication is a subset of the set being conjoined in the antecedent. Thus 
by precondition strengthening applied to the Hoare triple above: 

b {/\ n. (iterwlp n S C Q) A S} C {/\n. iterwlp n S C Q} 

In general b (/\ n. (S n AS)) <=> ((/\ n. S„) AS), so by precondition strength¬ 
ening: 

b {(/\ n. iterwlp n S C Q) A S} C {/\n. iterwlp n S C Q} 
which by the definition of wlp (WHILE S DO C ,Q) is: 

b {wlp (WHILE S DO C ,Q) AS} C {wlp (WHILE S DO C, Q) } 

This is the desired invariance property of R. We have thus proved Pi when 
C is WHILE S DO C. 

To show P 2 , we must show: 

Ssem (wlp(WHILE S DO C,Q)) = Wlp (Csem (WHILE S DO C)) (Ssem Q) 


Ssem (/ \n. iterwlp n S C Q) 

= Wlp (Asi s 2 . 3n. Iter n (Ssem S) (Csem C) si s 2 ) (Ssem Q) 

= As. Vs'. (Asi s 2 . 3n. Iter n (Ssem S ) (Csem C) si s 2 ) s s' =>• (Ssem Q) s' 
= As. Vs'. (3n. Iter n (Ssem S) (Csem C ) s s') => Ssem Q s' 

= As. Vs' n. Iter n (Ssem S) (Csem C) s s' => Ssem Q s' 
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Now Ssem (/\ n. iterwlp n S C Q) s <=?■ Vn. Ssem (iterwlp n S C Q) s so 
we need to show for arbitrary s that: 

Vn. Ssem (iterwlp n S C Q) s 

= Vs' n. Iter n (Ssem S ) (Csem C) s s' Ssem Q s' 

We will show by induction of n that: 

Ssem (iterwlp n S C Q) s 

= Vs'. Iter n (Ssem S ) (Csem C) s s' Ssem Q s' 

This is sufficient as Vn. (Pi n = P 2 n) implies (Vn. Pi n) = (Vn. P 2 n). Recall 
the definitions of Iter and iterwlp: 

Iter 0 p c Si s 2 = ->(p Si) A (si=s 2 ) 

Iter (n+1) p c Si s 2 = p «i A 3s. c Si s A Iter n p c s s 2 

iterwlp 0 S C Q = (->S => Q) 

iterwlp (n+1) S C Q = (S => wlpCC,(iterwlp n S C Q ))) 

The basis case (n = 0) is: 

Ssem (iterwlp 0 S C Q) s 

= Vs'. Iter 0 (Ssem S ) (Csem C) s s' Ssem Q s' 


(-■(Ssem S s') => Ssem Q s') 

= Vs'. (->(Ssem S s) A (s = s')) Ssem Q s' 

This is clearly true. The induction step case is 
Ssem (iterwlp (n+1) S C Q) s 

= Vs'. Iter (n+1) (Ssem S) (Csem C) s s' => Ssem Q s' 

Unfolding Iter and iterwlp yields: 

Ssem ( S => wlpCC, (iterwlp n S C Q))) s 

= Vs'. (Ssem S s A 3s". Csem C s s" A Iter n (Ssem S) (Csem C) s" s') 
=> Ssem Q s' 

Evaluating the LHS: 

(Ssem S s =$• Ssem (wlpCC,(iterwlp n S C Q))) s) 

= Vs'. (Ssem S s A 3s". Csem Css" A Iter n (Ssem S) (Csem C) s" s') 
Ssem Q s' 

Using P 2 by the structural induction hypothesis (note we are doing a math¬ 
ematical induction on n inside the structural induction on C to prove P 2 ). 

(Ssem S s => Wlp (Csem C) (Ssem (iterwlp n S C Q)) s) 

= Vs'. (Ssem S s A 3s". Csem C s s" A Iter n (Ssem S) (Csem C) s" s') 
=> Ssem Q s' 




4.4. Verification conditions via wlp 


71 


Expanding Wlp: 

(Ssem S s => (As. Vs'. (Csem C) s s' =£► (Ssem (iterwlp n S C Q )) s') s) 

= Vs'. (Ssem S s A 3s". Csem Css" A Iter n (Ssem S') (Csem (7) s" s') 

=£► Ssem Q s' 

Reducing the LHS: 

(Ssem S s => Vs'. Csem C s s' =>• Ssem (iterwlp n S C Q) s') 

= Vs'. (Ssem S s A 3s". Csem Css" A Iter n (Ssem S) (Csem C) s" s') 

=>- Ssem Q s' 

The induction hypothesis for the induction on n we are doing is: 

Ssem (iterwlp n S C Q) s 

= Vs'. Iter n (Ssem S) (Csem C) s s' =$■ Ssem Q s' 

From this and the preceding equation: 

(Ssem S s 

=>■ Vs'. Csem Css'=^ (Vs". Iter n (Ssem S) (Csem C) s' s" =4> Ssem Q s")) 
= Vs'. (Ssem S' s A 3s". Csem Css" A Iter n (Ssem S) (Csem (7) s" s') 

=> Ssem Q s' 

Which simplifies to: 

(Ssem S s 

=>• Vs's". Csem Css'=^ Iter n (Ssem S) (Csem (7) s' s" => Ssem Q s") 

= Vs's". (Ssem S s A Csem Css" A Iter n (Ssem S') (Csem (7) s" s') 

=> Ssem Q s' 

Switching s' and s" in the RHS and pulling quantifiers to the front: 

(Vs's". Ssem S s 

=> Csem Css'=> Iter n (Ssem S) (Csem C) s' s" =>• Ssem Q s") 

= Vs's". (Ssem S s A Csem (7 s s' A Iter n (Ssem S) (Csem C) s' s") 

=> Ssem Q s" 

which is true. Thus we have proved P 2 when C is WHILE S DO C. This was 
the last case so we have now proved Pi and P 2 for all commands C. 

4.4 Verification conditions via wlp 

Weakest preconditions provide a way to understand verification conditions 
and to improve them. Recall property Pi: h (wlpCCCQ)} C {Q}- To prove 
{P} C {Q} it is thus sufficient (by precondition strengthening) to prove: 
h P => wlp((7,(5) and thus one can view P => wlp((7,(5) as a single ‘super 
verification condition’ for the goal {P} C {Q} which is generated without 
having to annotate (7! This works fine if C is loop-free, i.e. contains no 
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WHILE-commands. If C does contain WHILE-commands then wlpCC.Q) will 
be an infinite statement. 2 Proving such a statement will typically involve 
proving by induction what is essentially the verification condition for an in¬ 
variant. There is thus no getting away from finding invariants! However, 
it is possible to use the idea of weakest preconditions to both explain and 
improve the verification condition method. To see how it explains verifica¬ 
tion conditions recall from page 43 that the verification condition generated 
by: {P} Cf, ... ;C n ~±;V:=E {Q} is: {P} C x \ ... ;C n _i {QIE/V1} which 
is {P} C\) ... )C n - 1 {wlp(H :=E,Q)}. We can generalise this observation 
to reduce the number of annotations needed in sequences by only requir¬ 
ing annotations before commands that are not loop-free (i.e. contain WHILE- 
commands) and then to modify the verification conditions for sequences: 

Sequences 

1. The verification conditions generated by 

{P} G\ \ ... ;C n -i ; {R}C n {Q} 

(where C n contains a WHILE-command) are: 

(a) the verification conditions generated by 

{P}C 1 ;...-,C n _ 1 {R} 

(b) the verification conditions generated by 

{R} C n {Q} 

2. The verification conditions generated by 

{P} C \; ... \C n -i; C n {Q} 

(where C n is loop-free) are the verification conditions generated by 
{P} Ci; ... (wlpCC^Q)} 


The justification of these improved verification conditions is essentially the 
same as that given for the original ones, but using Pi rather than the as- 


2 It is possible to represent wlp (WHILE S DO C, Q) by a finite statement in a first order 
theory of arithmetic, but the statement is not suitable for use in actual verifications [24]. 
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signment axiom. However, using wlp ideas we can do even better and reduce 
the requirement for annotations to just invariants of WHILE-commands. The 
outline of the method is as follows: 

• define awp (C,Q) which is similar to wlp (C,Q) except for WHILE- 
commands, which must be annotated; 

• define a set of statements wvc( C ,Q) giving the conditions needed to 
verify that user-annotated invariants of all WHILE-loops in C really are 
invariants. 

It will follow from the definitions of awp and wvc that the conjunction of the 
statements in wvc (C,Q) entails (awpCC.Q)} C {Q}- If we define /\S to be 
the conjunction of all the statements in S, then this can be written as: 

b /\wvc(C, Q) (awpCC'.Q)} C {Q}. 

Hence by Modus Ponens and precondition strengthening, to prove 
{P} C {Q} it is sufficient to prove I /\wvc(C, Q) and b P => awp (C ,Q). 
If C is loop-free then it turns out that awp( C ,Q) = wlp (C ,Q) and 
wvc (C ,Q) = {}, so this method collapses to just proving b P => 
wlp (C ,Q). The definitions of awp (C ,Q) and wvc (.C ,Q) are recursive on C 
and are given below. It is assumed that all WHILE-commands are annotated: 
WHILE S DO {P} C. 


awp(V := E,Q) 

— Q lE/Vf 

awp(Cd ; C 2 ,Q) 

= awp(Ci, awp(C 2 ,Q)) 

awp(lF S THEM C x ELSE C 2 , Q) 

= (S A awp(C!, Q)) V (-.S' A awp(C 2 , Q)) 

awp(WHILE S DO {P} C, Q) 

= R 

wvc(V := E,Q) 

= {} 

wvc((7i ; C 2 ,Q) 

= wvc(Ci, awp(C 2 , Q)) U wvc(C 2 , Q ) 

wvc(IF S THEN Ci ELSE C 2 , Q) 

= wvc(Ci, Q) U wvc(C 2 , Q) 

wvc(WHILE S DO {P} C, Q ) 

= {RA^S^Q, RAS^ awp(C,P)} 

U wvc(C, P) 
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Theorem /\wvc((7, Q) => {awp(C, Q)} C {Q}. 

Proof outline 

Induction on C. 

C = V :=E. 

Awvc(C : =E, Q) =» {awp(C, Q)} C {Q} is T ^ {Q IE/VI }V := E {Q} 

C — Ci ;C 2 . 

AwvctCi jC^Q) & {awp(^;;C' 2 ,g)} Ci;C 2 {Q} is 

A(wvc(C'i,awp(C 2 ,g))Uwvc(C 2 ,Q)) => {awp(Ci, awp(C 2 ,g))} Ci;C 2 { Q }. 

By induction Awvc(C 2 ,Q) => (awp(C 2 ,g)} C 2 {Q} 

and Awvc(Ci, awp(C 2 , Q)) => {awp(Ci, awp(C 2 , Q))} C± {awp(C 2 , Q)}, 

hence result by the Sequencing Rule. 

C = IF S THEN Ci ELSE C 2 . 

Awvc(IF S THEN Cl ELSE C 2 , Q) 

{awp(lF 5 THEN Ci ELSE C 2 , Q)} IF S' THEN Ci ELSE C 2 {Q} 

. A( wvc ( C 'i> <3) u wvc(C 2 , Q)) 

1S => {(S' A awp(Ci, Q)) V (-.S' A awp(C 2 , Q)} IF S' THEN Ci ELSE C 2 {Q} ' 

By induction /\\nvc(C%,Q) => {awp(Ci,Q)} Ci {Q} 

and A wv ^-(C 2 , Q) =>• {awp(C 2 , Q)} C 2 {Q}. Strengthening preconditions 

gives Awvc(Ci, Q) =£■ {awp(Ci, Q) A S} Ci {Q} 

and A wvc (C < 2 , Q) => {awp(C 2 , Q) A -iS} C 2 {Q}, hence 

Awvc(Ci, g) =>■ {((S A awp(Ci, g)) V (-.S' A awp(C 2 , g))) A S} Cl {Q} 

and Awvc(C 2 ,g) => {((S A awp(Ci, g)) V (-S A awp(C 2 , Q))) A-S} C 2 {Q}, 

hence result by the Conditional Rule. 

C = WHILE S DO C. 

A wvc (WHILE S DO {R} C, g) =>• {awp(WHILE S DO {R} C, Q)} WHILE S DO {R} C {Q} 
is A({^ A -iS => g, R A S => awp(C, R)} U wvc(C,R)) =* 

{R} WHILE S DO {R} C {Q}. 

By induction /\\nvc(C,R) => {awp(C, R)} C {R}, hence result by WHILE- 
Rule. 


Q.E.D. 
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Example 

awp(R:=R-Y;Q:=Q+l, X = R + YxQ) 

= wlp(R:=R-Y;Q:=Q+l, X = R + YxQ) 

= X = R-Y + Y X Q+l 

awp(WHILE Y < R DO {X = R + Y x Q} R:=R-Y;Q:=Q+1, X = R+YxQ A R<Y) 

= X = R + Y X Q 

awp(Q: =0; WHILE Y<RD0{X = R + YxQ}R: =R-Y; Q:=Q+1, X = R+YxQ A R<Y) 

= X = R + Y x 0 

awp(R=X;Q: =0; WHILE Y < R DO {X = R + Y x Q} R:=R-Y; Q:=Q+1, X = R+YxQ A R<Y) 
=X=X+YxO 

wvc(R: =R-Y; Q: =Q+1, X) = {} 

wvc(WHILE Y < R DO {X = R + Y X Q} R:=R-Y;Q:=Q+1, X = R+YxQ A R<Y) 

= {X = R + Y x Q A -i(Y < R) =+ X = R+Y X Q A R<Y, 

X = R + Y XQAY <R=^X = R-Y + Y X Q+l} U {} 

wvc(Q: =0; WHILE Y<RDO{X = R + YxQ}R: =R-Y; Q:=Q+1, X = R+YxQ A R<Y) 

= {}U{X = R + YxQA -<(Y < R) => X = R+YxQ A R<Y, 

X = R + YxQAY<R=^X = R-Y + Y X Q+l} 

wvc(R=X; Q: =0; WHILE Y < RDO {X = R +Y x Q} R: =R-Y; Q:=Q+1, X = R+YxQ A R<Y) 
= {}U{X = R + YxQA -i(Y < R) => X = R+YxQ A R<Y, 

X = R + YxQAY<R=^X = R-Y + Y X Q+l} 

X = X + Y x 0 is T so by the theorem proved above: 

b (X = R + YxQA -i(Y < R) => X = R+YxQ A R<Y 

A 

X = R + Y xQAY<R+X = R-Y + Y X Q+l) 

{T} R=X;Q: =0; WHILE Y < R DO {X = R + Y x Q} {X = R+YxQ A R<Y} 

The calculation of awp ( C, Q ) and wvc (C ,Q) is not that different from clas¬ 
sical verification condition generation, but has the advantage of requiring 
fewer annotations. 

4.4.1 Strongest postconditions 

Weakest preconditions are calculated ‘backwards’ starting from a postcon¬ 
dition. There is a dual theory of strongest postconditions that are calcu- 
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lated ‘forwards’ starting from a precondition. The strongest postcondition 
sp( C,P) has the property that b {P} C {sp(C ,P)} and is strongest in 
the sense that for any Q: if b {P} C {Q} then b spCC.P) => Q. Intu¬ 
itively sp( C ,P) is a symbolic representation of the state after executing C 
in an initial state described by P. For assignments: 

sp(V:=E,P) =3v. (V = Elv/V\) A P[u/1/]} 

The existentially quantified variable v is the value of V in the state before 
executing the assignment (the initial state). The strongest postcondition 
expresses that after the assignment, the value of V is the value of E evaluated 
in the initial state (hence E [u /V \) and the precondition evaluated in the 
initial state (hence P[u/V]) continues to hold. Thus if the initial state is 
represented symbolically by the statement (V = v) A P then the state after 
executing V : =E is represented symbolically by (V = E[v/V"\) A Plv/V], 
For loop-free commands C, the calculation of sp (C,P) amounts to the 
‘symbolic execution’ of C starting from a symbolic state P. An advantages 
of symbolic execution is that it can allow the representation of the symbolic- 
state-so-far to be simplified ‘on-the-fly’, which may prune the statements 
generated (e.g. if the truthvalue of a conditional test can be determined then 
only one branch of the conditional need be symbolically executed). In the 
extreme case when P is so constraining that it is only satisfied by a single 
state, s say, then calculating sp (C',P) collapses to just running C in s - the 
truthvalue of each test is determined so there is no need to consider both 
branches of conditionals [12]. Backwards pruning, though possible, is less 
natural when calculating weakest preconditions. 

Several modern automatic verification methods are based on computing 
strongest postconditions for loop free code by symbolic execution. It is also 
possible to generate strongest postcondition verification conditions for WHILE- 
commands in a manner similar, but dual, to that described above using 
weakest preconditions. However, this is not the standard approach, though 
it may have future potential, especially if combined with backward methods. 

4.4.2 Syntactic versus semantic proof methods 

Originally Hoare logic was a proof theory for program verification that pro¬ 
vided a method to prove programs correct by formal deduction. In practice, 
only simple programs could be proved by hand, and soon automated methods 
based on verification conditions emerged. The first idea was to convert the 
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problem of proving {P} C {Q} into a purely mathematical/logical problem 
of proving statements in first order logic (i.e. verification conditions) as in the 
early days theorem provers mainly supported first order logic. However, now 
we have theorem proving technology for more expressive logics (e.g. higher 
order logic) that are powerful enough to represent directly the semantics of 
Hoare triples. Thus we now have two approaches to proving {P} C {Q}'- 

(i) Syntactic: first generate VCs and then prove them; 

(ii) Semantic: directly prove Hsem (Ssem P) (Csem C) (Ssem Q ). 

Both of these approaches are used. The VC method is perhaps more common 
for shallow analysis of large code bases and the semantic method for full proof 
of correctness, though this is an oversimplification. 
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Chapter 5 


Total Correctness 


The axioms and rules of Hoare logic are extended to total correct¬ 
ness. Verification conditions for total correctness specifications 
are given. 


In Section 1.3 the notation [P] C [Q] was introduced for the total correct¬ 
ness specification that C halts in a state satisfying Q whenever it is executed 
in a state satisfying P. At the end of the section describing the WHILE-rule 
(Section 2.1.8), it is shown that the rule is not valid for total correctness spec¬ 
ifications. This is because WHILE-commands may introduce non-termination. 
None of the other commands can introduce non-termination, and thus the 
rules of Hoare logic can be used. 

5.1 Non-looping commands 

Replacing curly brackets by square ones results in the following axioms and 
rules. 

Assignment axiom for total correctness 

b [PlE/\r\]V:=E [P] 

Precondition strengthening for total correctness 

b P=>P', b [P'} C [Q] 

^ [P] C [Q] 

Postcondition weakening for total correctness 

b [P]C[Q'\, b Q’^Q 

I" IP] C [Q] 
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Specification conjunction for total correctness 

I- [Pi] c IQi], P [P 2 ] C [Qj 
P [PiAP 2 ]C[Q,AQ 2 ] 


Specification disjunction for total correctness 

I- [Pi] c [Qi], P [P 2 ] C [Q 2 ] 

I- [P t V P 2 ] C [Qi V Q 2 ] 


Sequencing rule for total correctness 

P [P] Cl [g], I- [(?] c 2 [fl] 
P [P] c i: c 2 [fl] 


Derived sequencing rule for total correctness 



b 

1- [Pi] Cl [Qi] 

h Q, =*► P 2 

P [P 2 ] C 2 [Q 2 ] 

h Q 2 ^Ps 

P [P„] c„ [Q n ] 

Qn^ Q 

h [P]Ci; .. 

• ; c n [Q] 


Conditional rule for total correctness 

b [PAS] C % [Q], [PA^S\C 2 [Q] 

b [ P] IF S THEN Ci ELSE C 2 [Q] 

The rules just given are formally identical to the corresponding rules of 
Hoare logic, except that they have [ and ] instead of { and }. It is thus clear 
that the following is a valid derived rule. 

t jP} c W 

h [P] C [Q] 


C contains no WHILE-commands 
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5.2 The termination of assignments 

Note that the assignment axiom for total correctness states that assignment 
commands always terminate, which implicitly assumes that all function ap¬ 
plications in expressions terminate. This might not be the case if func¬ 
tions could be defined recursively. For example, consider the assignment: 
X := fact(— 1), where fact{n ) is defined recursively by: 

fact(n ) = if n — 0 then 1 else n x fact(n — 1) 

It is also assumed that erroneous expressions like 1/0 do not cause problems. 
Most programming languages will cause an error stop when division by zero 
is encountered. However, in our logic it follows that: 

I [T] X := 1/0 [X = 1/0] 

i.e. the assignment X := 1/0 always halts in a state in which the condition 
X = 1/0 holds. This assumes that 1/0 denotes some value that X can have. 
There are two possibilities: 

(i) 1/0 denotes some number; 

(ii) 1/0 denotes some kind of ‘error value’. 

It seems at first sight that adopting (ii) is the most natural choice. However, 
this makes it tricky to see what arithmetical laws should hold. For example, is 
(1/0) x 0 equal to 0 or to some ‘error value’ ? If the latter, then it is no longer 
the case that n x 0 = 0 is a valid general law of arithmetic? It is possible to 
make everything work with undefined and/or error values, but the resultant 
theory is a bit messy. We shall assume here that arithmetic expressions 
always denote numbers, but in some cases exactly what the number is will 
be not fully specified. For example, we will assume that rn/n denotes a 
number for any m and n, but the only property of “/” that is assumed is: 

-i (n = 0) ( m/n ) x n = m 

It is not possible to deduce anything about m/0 from this. 

Another approach to errors is to extend the semantics of commands to 
allow ‘faults’ to be results as well as states. This approach is used in Chap¬ 
ter 7 to handle memory errors, but a similar idea could also handle other 
expression evaluation errors (though at the expense of a more complex se¬ 
mantics) . 
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5.3 WHILE-rule for total correctness 

WHILE-commands are the only commands in our little language that can 
cause non-termination, they are thus the only kind of command with a non¬ 
trivial termination rule. The idea behind the WHILE-rule for total correctness 
is that to prove WHILE S DO C terminates one must show that some non¬ 
negative quantity decreases on each iteration of C. This decreasing quantity 
is called a variant. In the rule below, the variant is E, and the fact that 
it decreases is specified with an auxiliary variable n. An extra hypothesis, 
b P A S =>• E > 0, ensures the variant is non-negative. 


WHILE-rule for total correctness 


b [P A S A (E = n)\ C [P A (E < n)], b P A S => E > 0 
b [ P } WHILE S DO C [P A -.S'] 

where E is an integer-valued expression and n is an auxiliary variable not 
occurring in P, (7, S or E. 

Example: We show: 

b [Y > 0] WHILE Y<R DO (R:=R-Y; Q:=Q+1) [T] 

Take 

P = Y > 0 
S = Y < R 
E = R 

C = (R:=R-Y Q:=Q+1) 

We want to show b [P] WHILE S DO C [T], By the WHILE-rule for total 
correctness it is sufficient to show: 

(i) b [P A S A (E = n)] C [P A (E < n)] 

(ii) b PAS^E>0 

and then use postcondition weakening to weaken the postcondition in the 
conclusion of the WHILE-rule to T. Statement (i) above is proved by showing: 

b {P A S A (E = n)} C {P A (E < n)} 
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and then using the total correctness rule for non-looping commands. The 
verification condition for this partial correctness specification is: 

Y>0 A Y < R A R = n =>• (Y > 0 A R < n) [Q+l/Q] [R-Y/R] 
i.e. 

Y>0 A Y < R A R = n => Y>0A R-Y < n 

which follows from the laws of arithmetic. 

Statement (ii) above is just b Y>0 A Y < R R > 0, which follows 
from the laws of arithmetic. 


5.4 Termination specifications 

As already discussed in Section 1.3, the relation between partial and total 
correctness is informally given by the equation: 

Total correctness = Termination + Partial correctness. 

This informal equation above can now be represented by the following 
two formal rule of inferences. 

I- {P} C {Q}, h [P] C [T] 
h [P] C [Q] 

I- IP] C [Q] 

I- IP] C {«}, h [P] C [T] 

5.5 Verification conditions for termination 

The idea of verification conditions is easily extended to deal with total cor¬ 
rectness. We just consider the simple approach of Chapter 3 here, but the 
improved method based on weakest preconditions described in Section 4.4 is 
easily adapted to deal with termination. 

To generate verification conditions for WHILE-commands, it is necessary 
to add a variant as an annotation in addition to an invariant. No other extra 
annotations are needed for total correctness. We assume this is added directly 
after the invariant, surrounded by square brackets. A correctly annotated 
total correctness specification of a WHILE-command thus has the form 
[P] WHILE S DO {R}[E} C [Q] 
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where R is the invariant and E the variant. Note that the variant is intended 
to be a non-negative expression that decreases each time around the WHILE 
loop. The other annotations, which are enclosed in curly brackets, are meant 
to be conditions that are true whenever control reaches them. The use of 
square brackets around variant annotations is meant to be suggestive of this 
difference. 

The rules for generating verification conditions from total correctness 
specifications are now given in the same format as the rules for generating 
partial correctness verification conditions given in Section 3.4. 

5.6 Verification condition generation 

Assignment commands 

The single verification condition generated by 

[i 3 ] V :=E [Q\ 
is 

_ P =» QIE/V] _ 

Example: The single verification condition for: [X=0] X:=X+1 [X=l] is: 
X=0 => (X+l)=l. This is the same as for partial correctness. 

Conditionals 

The verification conditions generated from 

[P] IF S THEN Ci ELSE C 2 [Q] 
are 

(i) the verification conditions generated by [P A S] C\ [Q\ 

(ii) the verifications generated by [P A ->S] C 2 [Q] 

If Cx) ... ;C n is properly annotated, then (see page 41) it must be of one 
of the two forms: 


1. Ci ; ... ',C n -i ; {R}<f%t or 

2. Ci, ... ;C n _i;V := E. 





5.6. Verification condition generation 


85 

where, in both cases, C\ ; ... ; C' n _i is a properly annotated command. 

Sequences 

1. The verification conditions generated by: 

[J>] C i; ...;C n . i; {R}C n [<?] 

(where C n is not an assignment) are: 

(a) the verification conditions generated by 

[P]C i; ... [K] 

(b) the verihcation conditions generated by 

[A] a » [q] 

2. The verihcation conditions generated by 

[P}C 1 ;...;C n _ 1 ;V:=E [Q] 

are the verihcation conditions generated by 

[P] C i; ... 5 0U [QIE/V1] 

Example: The verihcation conditions generated from 

[X=x A Y=y] R:=X; X:=Y; Y:=R [X=y A Y=x] 
are those generated by 

[X=x A Y=y] R:=X; X:=Y [(X=y A Y=x)[R/Y]] 
which, after doing the substitution, simplihes to 

[X=x A Y=y] R:=X; X:=Y [X=y A R=x] 

The verihcation conditions generated by this are those generated by 
[X=x A Y=y] R:=X [(X=y A R=x)[Y/X]] 
which, after doing the substitution, simplihes to 
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[X=x A Y=y] R:=X [Y=y A R=x]. 

The only verification condition generated by this is 

X=x A Y=y =>• (Y=y A R=x) [X/R] 
which, after doing the substitution, simplifies to 

X=x A Y=y =>• Y=y A X=x 

which is obviously true. 

A correctly annotated specification of a WHILE-command has the form 
[P] WHILE S DO {R}[E} C [Q] 

The verification conditions are: 

WHILE-commands 

The verification conditions generated from 

[P] WHILE S DO {R}[E} C [Q] 
are 

(i) P =» R 

(ii) R A =► Q 

(iii) R A S =>■ E > 0 

(iv) the verification conditions generated by 

[R A S A (E = n)] C[R A {E < n)} 
where n is an auxiliary variable not occurring in P, C , S A, E, Q. 


Example: The verification conditions for 
[R=X A Q=0] 

WHILE Y<R DO {X=R+YxQ}[R] 
(R:=R-Y; Q=Q+1) 

[X = R+(YxQ) A R<Y] 


are: 
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(i) R=X A Q=0 =>• (X = R+(YxQ)) 

(ii) X = R+YxQ A -i(Y<R) =>• (X = R+(YxQ) A R<Y) 

(iii) X = R+YxQ A Y<R => R>0 

together with the verification condition for 

[X = R+(YxQ) A (Y<R) A (R=n)] 

(R:=R-Y; Q:=Q+1) 

[X=R+(YxQ) A (R<n)] 

which (exercise for the reader) consists of the single condition 

(iv) X = R+(YxQ) A (Y<R) A (R=n) X = (R-Y) + (Yx (Q+l)) A ((R-Y)<n) 
But this isn’t true (take Y=0)! 

We leave it as an exercise for the reader to extend the argument given in 
Section 3.5 to a justification of the total correctness verification conditions. 
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Chapter 6 


Program Refinement 


Floyd-Hoare Logic is a method of proving that existing programs 
meet their specifications. It can also be used as a basis for ‘refin¬ 
ing ’ specifications to programs - i. e. as the basis for a program¬ 
ming methodology. 


6.1 Introduction 

The task of a programmer can be viewed as taking a specification consisting of 
a precondition P and postcondition Q and then coming up with a command 
C such that F [P] C [Q]. 

Theories of refinement present rules for ‘calculating’ programs C from 
specification P and Q. A key idea, due to Ralph Back [3] of Finland (and 
subsequently rediscovered by both Joseph Morris [21] and Carroll Morgan 
[20]), is to introduce a new class of programming constructs, called specifica¬ 
tions. These play the same syntactic role as commands, but are not directly 
executable though they are guaranteed to achieve a given postcondition from 
a given precondition. The resulting generalized programming language con¬ 
tains pure specifications, pure code and mixtures of the two. Such languages 
are called wide spectrum languages. 

The approach taken here 1 follows the style of refinement developed by 
Morgan, but is founded on Floyd-Hoare logic, rather than on Dijkstra’s the¬ 
ory of weakest preconditions (see Section 4.3.3). This foundation is a bit more 
concrete and syntactical than the traditional one: a specification is identi¬ 
fied with its set of possible implementations and refinement is represented as 
manipulations on sets of ordinary commands. This approach aims to con- 

1 The approach to refinement described here is due to Paul Curzon. Mark Staples and 
Joakim Von Wright provided some feedback on an early draft, which I have incorporated 
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vey the ‘look and feel’ of (Morgan style) refinement using the notational and 
conceptual ingredients introduced in the preceding chapters. 

The notation [P, Q] will be used for specifications, and thus: 

[P, Q] = { C | b [P] C [Q] } 

The process of refinement will then consist of a sequence of steps that make 
systematic design decisions to narrow down the sets of possible implemen¬ 
tations until a unique implementation is reached. Thus a refinement of a 
specification S to an implementation C has the form: 

5 5 S 1 D S 2 ■ ■ ■ D S n D {C} 

The initial specification S has the form [P, Q\ and each intermediate 
specification Si is obtained from its predecessor <S,_i by the application of a 
refinement law. 

In the literature S D S' is normally written S jZ S'. The use of “D” 
here, instead of the more abstract “C”, reflects the concrete interpretation 
of refinement as the narrowing down of sets of implementations. 

6.2 Refinement laws 

The refinement laws are derived from the axioms and rules of Floyd-Hoare 
Logic. In order to state these laws, the usual notation for commands is 
extended to sets of commands as follows (C, Ci, C 2 etc. range over sets of 
commands): 

Ci; ■ ■ ■ ;C n = { Ci ; • • • ;C n \ Ci e Ci A • • • A C n € C n } 

BEGIN VAR Vi; ■■■ VAR V n ; C END = { BEGIN VAR Vi; • • • VAR V n ; C END | C eC } 

IF S THEN C = { IF S THEN C \ C eC} 

IF S THEN Ci ELSE C 2 = { IF S THEN Ci ELSE C 2 | Pi S Ci A C 2 S C 2 } 

WHILE S DO C = { WHILE S DO C \ C gC} 

This notation for sets of commands can be viewed as constituting a wide 
spectrum language. 

Note that such sets of commands are monotonic with respect to refine¬ 
ment (i.e. inclusion). If C D C', C\ D ... , C n D C' n then: 
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C i; ••• ;C„ 

dc; ; ••• ;C' n 

BEGIN VAR Ri ; • • • VAR 14 ; C END D BEGIN VAR Vi ; • • • VAR V n ; C' END 

IF S THEN C 

P IF S THEN C' 

IF S THEN Ci ELSE C- 

i P IF S THEN C’i ELSE C’ 2 

WHILE S DO C 

P WHILE S DO C 

This monotonicity shows that a command can be refined by separately re¬ 
fining its constituents. 

The following ‘laws’ follow directly from the definitions above and the 
axioms and rules of Floyd-Hoare logic. 


The Skip Law 


[P, P] D {SKIP} 

Derivation 

C G {SKIP} 

C = SKIP 
=> F [P] C [P] 
<s> Ce[P, P] 

(Skip Axiom) 

(Definition of [P, P]) 


The Assignment Law 


[PIE/VI, P] a {V := E} 


Derivation 

C£{V := E} 

C = V := E 

=> h \P\_E/V~\) C [P] (Assignment Axiom) 

<s> Ce[PIE/VI, p ] (Definition of [P IE/VI , P]) 
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Derived Assignment Law 


[P, Q] 2 {V:-£} 
provided h P => QLE/VG 

Derivation 

Ce{V :=£} 

O C = V : = 

E 

=> b \Q [E/V~\ ] C [Q] (Assignment Axiom) 

=► ^ [P]C [Q] 

(Precondition Strengthening & b P => Q [P/P]) 

Ce[P, Q] 

(Definition of [P, Q ]) 


Precondition Weakening 

IP, Q] 2 [P, Q] 

provided h P =k R 

Derivation 

C € [it, Q] 

b [it] C [Q] 

(Definition of [it, Q]) 

=> ^ [P]C [Q] 

(Precondition Strengthening & b P => it) 

Ce[P, Q] 

(Definition of [P, Q]) 


Postcondition Strengthening 

[P, Q] D [P, R] 

provided h R =>• Q 


Derivation 

c e [p, R] 

& b [P] C [it] (Definition of [ R, Q]) 

=> b [P] C [Q] (Postcondition Weakening & b R, => Q) 

C e [P, Q\ (Definition of [P, Q]) 
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The Sequencing Law 

[P, Q\ 2 [P, P] ; [P, Q] 


Derivation 


C G [P, P] ; [ P, Q\ 

C € { Ci ; C 2 | Ci 6 [P, P] & C 2 e [P, Q]} 

^ C G { Ci ; C 2 | b [P] C, [P] & b [P] C 2 [Q]} 

=► C €{Ci ; C 2 I - [P] C, ; C 2 [Q]} 


=► I" [P] C [Q\ 
Ce[P, Q] 


(Definition of Ci ; C 2 ) 
(Definition of [P, P] and [P, Q}) 
(Sequencing Rule) 

(Definition of [P, Q]) 


The Block Law 

[P, Q] D BEGIN VAR V; [P, Q] END 
where V does not occur in P or Q 


Derivation 

C G BEGIN VAR V ; [P, Q] END 

<t^> Ce (BEGIN VAR V ; & END | 

C' G [P, Q]} 

<^> C G (BEGIN VAR V ; C" END | 

h [P] C' [Q]} 

C G (BEGIN VAR V ; C" END | 

b [P] BEGIN VAR V ; C' END 

^ I" [P] C [Q] 

Cg[P, Q] 


(Definition of BEGIN VAR V ; C END) 
(Definition of [P, Q]) 

[Q\ } (Block Rule & V not in P or Q) 
(Definition of [P, Q]) 


The One-armed Conditional Law 


[P, Q] D IF S THEN [P A S, Q] 
provided h PA -iP =£► Q 
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Derivation 


C GIF S THEN [P A S, Q\ 

C G {IF S THEN C' | 

C' G [PAS, Q}} 

C G {IF S THEN C' I 

fi [PA5] a IQ]} 

=> C G {IF S' THEN C' I 

b [P] IF S THEN C' [Q]} 

=> h [P] C [Q] 
o Cg[P, Q] 


(Definition of IF S THEN C) 

(Definition of [P AS, Q]) 

(One-armed Conditional Rule & b P A ->S => Q) 
(Definition of [P, Q ]) 


The Two-armed Conditional Law 

[P, Q] D IF S THEN [P A S, Q] ELSE [P A ^S, Q] 


Derivation 


C G IF S THEN [PAS, Q\ ELSE [PA-.S, Q] 

C G {IF S THEN Ci ELSE C 2 | 

Ci G [PAS, Q]kC 2 G [PA-iS, Q]} 

C e {IF S THEN Ci THEN C 2 | 

b [PAS] Ci [Q] k b [PA-iS] C 2 [Q]} 
C e {IF S THEN Ci ELSE C 2 | 

b [P] IF S THEN Ci ELSE C 2 [Q]} 

=► I- [P] C [Q] 
o Cg[P, Q] 


(Definition of IF S THEN Ci ELSE C 2 ) 
(Definition of [PAS, Q] & [PA^S, Q]) 
(Two-armed Conditional Rule) 


(Definition of [P, Q]) 


The While Law 

[P, P A -i<S'] 3 WHILE S DO [P AS A (E=n), P A (E<n)] 
provided b P A S ^ E > 0 

where E is an integer-valued expression and n is an identifier 
not occurring in P, S or E. 
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Derivation 


(Definition of WHILE S DO C) 
(Definition of 

[P AS A(E = n), P A(E < n)]) 
(While Rule & b PA5=> E > 0) 
(Definition of [P, P A -iS 1 ]) 


6.3 An example 


C e WHILE S DO [P A S A (E = n), P A (E < n)] 

<^> C6 (WHILE S DO C' | 

C'e [P A S A(E = n), P A (E < n)]} 

<S> C £ (WHILE S DO C' | 

h [P A S A(E = n)\ C' [P A (E < n)]} 
=> C e (WHILE S DO C' | 

h [ P ] WHILE S DO C' [P A ^S 1 ]} 

=> b [P]C [PA -5] 

<S> C e [P, P A 


The notation [Pi, P 2 , -P 3 , • • • , P n -i, P n \ will be used to abbreviate: 


[Pi, P 2 ] ; [P 2 , P 3 \; ■■■ ; [P n - 1 , ^n] 


The brackets around fully rehned specifications of the form {C} will be 
omitted - e.g. if C is a set of commands, then R := X ; C abbreviates 
{R := X} ; C. 

The familiar division program can be ‘calculated’ by the following refine¬ 
ment of the specification: [Y > 0, X = R + {Y x Q) A R < Y] 

Let 1 stand for the invariant X = R + (Y x Q). In the refinement that 
follows, the comments in curley brackets after the symbol “3” indicate the 
refinement law used for the step. 
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\Y > 0, X A R<Y] 

D (Sequencing) 

[y >o, r = x a y >o, l a i?<y] 

3 (Assignment) 

R :=X ; [R = X A Y > 0, 1 A it < A] 

3 (Sequencing) 

it := A ; [R = X A y>0, it = A A y>0 A Q = 0, X A R<Y} 
3 (Assignment) 

it := A ; Q :=0 ; [R = X A y>0 A Q = 0, X A R<Y] 

3 (Precondition Weakening) 

R := A ; Q := 0 ; [1 A Y > 0, X A R < Y] 

;j| (Postcondition Strengthening) 

R := X ; Q := 0 ; [I A Y > 0, I A Y > 0 A -.(y < it)] 

» (While) 

i? := X ; Q := 0 ; 

WHILE Y <R DO [1 A y>0 A Y <R A R = n, 

X A y>0 A R < n] 

3 (Sequencing) 

R := X ; Q :=0 ; 

WHILE Y <R DO [X A y>0 A Y <R A i? = n, 

A = {R - Y) + (y x Q) A y > 0 A ( R-Y)<n , 

I A y>0 A fl<n] 

3 (Derived Assignment) 
it := A ; Q := 0 ; 

WHILE Y <R DO [X A A>0 A Y <R A R = n, 

X = {R - Y) + (Y x Q) A y > 0 A (. R-Y)<n] 

R :=R-Y 

3 (Derived Assignment) 

R := A ; Q :=0 ; 

WHILE Y <R DO Q :=Q + 1 ; R := R-Y 


6.4 General remarks 


The ‘Morgan style of refinement’ illustrated here provides laws for system¬ 
atically introducing structure with the aim of eventually getting rid of spec¬ 
ification statements. This style has been accused of being “programming in 
the microscopic”. 

The ‘Back style’ is less rigidly top-down and provides a more flexible 
(but maybe also more chaotic) program development framework. It also 
emphasises and supports transformations that distribute control (e.g. going 
from sequential to parallel programs). General algebraic laws not specifically 
involving specification statements are used, for example: 

C = IF S THEN C ELSE C 


which can be used both to introduce and eliminate conditionals. 
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Both styles of refinement include large-scale transformations (data refine¬ 
ment and superposition) where a refinement step actually is a much larger 
change than a simple IF or WHILE introduction. However, this will not be 
covered here. 
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Chapter 7 


Pointers and Local Reasoning 


Reasoning about programs that manipulate pointers (e.g. in-place 
list reversal) can be done using Hoare logic, but with traditional 
methods it is cumbersome. In the last 10 years a new elegant 
approach based on ‘local reasoning ’ has emerged and given rise to 
a version of Hoare logic called separation logic. 

Programs are represented semantically as relations between initial and 
final states. Up to now states have been represented by functions from vari¬ 
ables to values. To represent the pointer structures used to represent fists, 
trees etc. we need to add another component to states called the heap. 

7.1 Pointer manipulation constructs 

For the simple (non pointer manipulating) language in previous chapters the 
state was a function mapping variables to values. We now need to add a 
representation of the heap. Following Yang and O’Hearn [25], a store is 
defined to be what previously we called the state. 1 The set Store of stores is 
thus defined by: 

Store = Var —»■ Va 1 

Pointers will be represented by locations, which are mathematical abstrac¬ 
tions of computer memory address and will be modelled by natural numbers. 
The contents of locations will be values, which are assumed to include both 
locations and data values, e.g. integers and nil (see later). The contents of 
pointers are stored in the heap, which is a finite function - i.e. a function with 
a finite domain - from natural numbers (representing pointers) to values. 
Heap = Num —^ f in Va 1 

where we use the notation A B to denote the set of finite functions 

from A to B. If / : A B then the domain of / is a finite subset of A 

1 In early work the store was called the environment [29] and it is now sometimes also 
called the stack. 
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denoted by dom (/) (or dom /) and is the subset of A on which / is defined. 
The notation / [6/a] denotes the function that is the same as / except that 
it maps a to b. If a dom (/), then a is added to the domain of /[6/a], 
thus: dom (/ [ b/a ]) = dom (/) U {a}. The notation f-a denotes the function 
obtained from / by deleting a from its domain, thus dom(/-a) = dom(/)\{a} 
(where A\B denotes the set of elements of A that are not in B). The notation 
{li !->■ »i,..., l n *-+ v n } denotes the finite function with domain {7i,..., l n } 
which maps U to Vi (for 1 < i < n). A location, or pointer, is said to be in 
the heap h if it is a member of dom(h). 

The new kind of state will be a pair (s, h) where s £ Store and h £ Heap. 
To extend states to include heaps we redefine the set State of states to be: 

State = Store x Heap 

We add to our language four new kinds of atomic commands that read 
from, write to, extend or shrink the heap. An important feature is that some 
of them can fault. For example, an attempt to read from a pointer that is 
not in the heap faults. The executions of these constructs takes place with 
respect to a given heap. The new commands are described below. 

1. Fetch assignments: V : = IE~\ 

Evaluate E to get a location and then assign its contents to the variable 
V. Faults if the value of E is not in the heap. 

2. Heap assignments: [E/] :=E 2 

Evaluate E x to get a location and then store the value resulting from 
evaluating E 2 as its contents. Faults if the value of E\ is not in the 
heap. 

3. Allocation assignments: V :=cons(£' 1 ,..., E n ) 

Choose n consecutive locations that are not in the heap, say l, l+l ,..., 
extend the heap by adding these to its domain, assign l to the variable 
V and store the values of expressions Ei,E 2 ,... as the contents of 
l , /+1,.... This is non-deterministic because any suitable l , l+l, ... 
not in the heap can be chosen. Such numbers exist because the heap 
is finite. This never faults. 

4. Pointer disposal: dispose (E) 

Evaluate E to get a pointer l (a number) and then remove this from the 
heap (i.e. remove it from the domain of the finite function representing 
the heap). Faults if l is not in the heap. 
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Example 

Here is a nonsense sequence of assignments as a concrete illustration: 

X:=cons(0,1,2) ; [X]:=Y+1; [X+l]:=Z; [X+2]:=Y+Z; Y: = [Y+Z] 

The first assignment allocates three new pointers - say l , 1+ 1, 1+2 - at 
consecutive locations; the first is initialised with contents 0, the second with 
1 and the third with 2 and the variable X is assigned to point to l. The 
second command changes the contents of l to be the value of Y+l. The 
third command changes the contents of l+l to be the value of Z. The last 
command changes the value of Y in the store to the contents in the heap of 
the value of the expression Y+Z, considered as a location; this might fault if 
the expression Y+Z evaluates to a number not in the heap. 

For simplicity, expressions only depend on the state not the heap. Thus 
expressions like [fij] + [E 2 1 are not allowed. In our language, which is 
adapted from the standard reference [25], only commands depend on the 
heap. Expressions denote functions from stores to values. 

Pointers are used to represent data-structures such as linked lists and 
trees. We need to introduce some specification mechanisms to deal with 
these, which we will do in Section 7.3.5. First, as preparation, we consider 
some simple examples that illustrate subtleties that we have to face. Consider 
the following sequence of assignments: 

X:=cons(0) ; Y:=X; [Y]:=Z; W: = [X] 

This assigns X and Y to a new pointer, then makes the contents of this 
pointer be the value of Z and then assigns W to the value of the pointer. Thus 
intuitively we would expect that the following Hoare triple holds: 

{T} X:=cons(0); Y:=X; [Y]:=Z; W:=[X] {W = Z} 

How can we prove this? We need additional assignment axioms to handle 
fetch, store and allocation assignments. But this is not all ... how can we 
specify that the contents of the pointer values of X and Y are equal to the 
value of the expression Y? This is a property of the heap, so we need to be 
able to specify postconditions whose truth depends on the heap as well as on 
the state. We would also like to be able to specify preconditions on the heap 
so as to be able to prove things like: 

{contents of pointers X and Y are equal} X: = [X] ; Y: = [Y] {X = Y} 
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For example, if X is 1 and Y is 2 in the state, and if both locations 1 and 2 
have contents v in the heap, then the two fetch assignments will assign v to 
both X and Y. 

Separation logic is one of several competing methods for reasoning about 
pointer manipulating programs. It is a development from Hoare logic and 
smoothly extends the earlier material in this course. Separation logic pro¬ 
vides various constructs for making assertions about the heap and Hoare-like 
axioms and rules for proving Hoare triples that use these assertions. The 
details are quite delicate and have taken many years to evolve, starting from 
work by Rod Burstall in the 1970s [27] then evolving via several only par¬ 
tially successful attempts until finally, reaching the current form in the work 
of O’Hearn, Reynolds and Yang [26] (this paper contains a short history and 
further references). A good introduction is John Reynolds’ course notes [23], 
from which I have taken many ideas including the linked list reversal example 
in the following section. 

7.2 Example: reversing a linked list 

Linked lists are a simple example of a data-structure. We need to distinguish 
the elements of a list - the data - from the pointer structure that represents 
it. Each element of the list is held as the contents of a location and then 
the contents of the successor location is the address of the next element in 
the list. The end of the list is indicated by nil. The diagram below shows 
the list [a, b, c] stored in a linked list data-structure where a is the contents 
of location Z, b is the contents of location m and c then contents of n. The 
contents of n+1 is nil, indicating the end of the list. 

Z3HZE3HZED 

1 1+1 m m+1 n n+1 

If X has value l in the store, then X points to a linked list holding [a, b, c]. 

The following program reverses a linked list pointed to by X with the 
resulting reversed list being pointed to by Y after the loop halts. 

Y:=nil; 

WHILE ^(X = nil) DO (Z: = [X+1]; [X+l] :=Y; Y:=X; X:=Z) 

Below is a trace of the execution when X points to a linked list holding 
the data list [a, b, c]. A blank line precedes each loop iteration. 
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Store | Heap 


X = 

1, Y =?, Z =? 


1 a, 

l+l H+ m, 

m b, m+l 

n, n c, 

n+1 H+ nil 

X = 

1, Y = nil, Z = 


1 a, 

l+l I-+ m, 

m b, m+l 

n, n c, 

n+1 H+ nil 


1 

X = 

1, Y = nil, Z = 

77T 

l l—^ 3 ? 

l+l H+ m, 

m b, m+l 

n, n c, 

n+1 H+ nil 

X = 

1, Y = nil, Z = 

m 

1 a, 

l+l i-> nil, 

m b, m+l 

n, n c, 

n+1 h+ nil 

X = 

1, Y = 1, Z = m 

1 a, 

1+1 ^ nil, 

m h+ b, m+l 

n, n h+ c, 

n+1 nil 

X = 

m, Y - Z = 

m 

1 a, 

l+l ^ nil, 

m b, m+l h-+ 

n, n c, 

n+1 h* nil 


1 

X = 

m, Y - 1. Z = 

n 

1 a, 

l+l ^ nil, 

m b, m+l 

n, n h+ c, 

n+1 nil 

X = 

m, Y = 1, Z = 

n 

1 a, 

l+l i-> nil, 

m b, m+l 

1, n c, 

n+1 i->- nil 

X = 

m, Y = m, Z 

= n 

1 a, 

l+l ^ nil, 

m b, m+l 

1, n c, 

n+1 i ^ nil 

X = 

n, Y = m, Z = 

Tl 

1 a, 

l+l ^ nil, 

m b, m+l 

1, n c, 

n+1 i->- nil 


1 

X = 

n, Y = to, Z = 

nil 

1 a, 

l+l nil, 

m b, m+l 

1, n c, 

n+1 i—^ nil 

X = 

n, Y = m, Z = 

nil 

1 1 -+ a, 

l+l nil, 

m b, m+l 

1, n c, 

n+1 i-> m 

X = 

n, Y = n, Z = 

nil 

1 1 -+ a, 

l+l nil, 

m b, m+l 

1, n c, 

n+1 !->■ m 

X = 

nil, Y = n, Z = 

nil 

1 a, 

l+l nil, 

m b, m+l 

1, n c, 

n+1 !->■ m 


Below is a pointer diagram that shows the states at the start of each of 
the three iterations and the final state. The bindings of X, Y and Z in the 
store are shown to the left. The heap is to the right; addresses (locations) of 
the ‘cons cell’ boxes are shown below them. 



1 1+1 m m+l n n+1 
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To specify that the reversing program works we will formulate a Hoare triple 
that, intuitively, says: 

{X points to a linked list holding x } 

Y :=nil; 

WHILE -.(X = nil) DO (Z: = [X+1]; [X+l] :=Y; Y:=X; X:=Z) 

{ Y points to a linked list holding rev(x)} 

where x is an auxiliary variable representing a list (e.g. [a, b, c]) and rev(x) 
is the reversed list (e.g. [c, b, a]). This is formalised using separation logic 
assertions, which are described in the next section. 


7.3 Separation logic assertions 

In Section 4.2, the semantics of a statement was represented by a predicate on 
states, where what we called states in that section are called stores here. We 
will call such statements classical statements. They correspond to functions 
of type Store —>• Bool and say nothing about the heap. The set of classical 
statements is Sta. For the current setting we need to redefine Ssem to map 
stores (rather than states) to Booleans (i.e. Ssem : Sta —>• Store —>• Bool). 

Separation logic [26] introduces a Hoare triple {P} C {Q} where P and 
Q are predicates on the state and the state is a store-heap pair (s, h). The 
function SSsem maps a separation logic statement to a predicate on states. 
Thus if SSta is the set of separation logic statements (which we haven’t yet 
described) then: 

SSsem : SSta —>■ State —>■ Bool 

We call separation logic statements separation statements. 

A classical statement S can then be regarded as a separation statement 
by defining: 

SSsem S ( s , h) — Ssem S s 

We now describe the separation statements that do depend on the heap. 
In what follows, E and F are expressions, which don’t depend on the heap 
and have semantics given by Esem, which we assume maps expressions to 
functions on stores (i.e. Esem : Exp —>• Store —>• Vai). P and Q will range 
over separation statements with semantics given by SSsem. We will give the 
semantics by first defining operators on the meanings of expressions and the 
meanings of statements and then, using these operators, define the meanings 
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of formulae. The variables e and / will range over the meanings of expressions 
and p and q over the meanings of statements. Thus E and F have type Exp 
but e and / have type Store —>• Vai. Similarly P and Q have type SSta, but 
p and q have type State —> Bool. 

In what follows we sometimes use Boolean operators that have been 
‘lifted’ to act pointwise on properties, e.g. if p and q are properties of the 
state (i.e. p : State —>• Bool and q : State —>• Bool ) then we overload A, V 
and =>- by defining: 

->p = Xstate. -i (p state ) 

p Aq = Xstate. p state A q state 

pV q = Xstate. p state V q state 

p q = Xstate. p state q state 

where the occurrence of -i, A, V and => on the left of these equations is 
lifted to operate on predicates and the occurrence on the right is the normal 
Boolean operator. The lifted operators can be used to give semantics to 
corresponding specification language constructs: 

SSsem (-i P) = ->(SSsem P ) 

SSsem (P A Q) — (SSsem P) A (SSsem Q ) 

SSsem (FVQ) = (SSsem P) V (SSsem Q) 

SSsem (P => Q) = (SSsem P ) => (SSsem Q) 

Defining quantifiers for the specification language is slightly subtle. If P is a 
separation statement (normally one containing an occurrence of the variable 
X, though this is not required), then we can form statements \/X. P, 3X. P 
with meaning given by: 

SSsem (VX P) (s, h) - Vu. SSsem P (s [u/X], h) 

SSsem (3X. P) (s, h) = 3v. SSsem P (s [u/X], h) 

An example is 3X. E i —> X dehned in the next section. 

7.3.1 Points-to relation: E i-A F 

E F is true in state (s, h) if the domain of h is the set containing only the 
value of E in s and the heap maps this value to the value of F in s. 


(ei f) (s,h) = (dom h = {e s}) A (h(e s) — f s) 
SSsem (E\-> F) = (Esem E) (->• (Esem F) 
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The first definition in the box above defines a semantic operator i-A and the 
section definition uses this operator to give the semantics of formulae of the 
form E i-A F. Subsequent definitions will have this form. 

Example 

The assertion X i-A Y+l is true for heap {20 43} if in the store X has value 

20 and Y has value 42. 

Points-to assertions specify the contents of exactly one location in the 
heap. Thus (using lifted A): 

(ei 4/iAe 2 4 / 2 )(s,/i) = 

(dom h = {ei s}) A (h(e% s) — f\ s) 

A 

(dom h = {e 2 s}) A (h(e 2 s) = f 2 s) 

Thus if ei 4 /i A e 2 ^ / 2 is true in a state (s, h ) then e\ s — e 2 s and 

/is = /a 

Abbreviation 

We define E H > _ so that it is true of a state (s, h ) when h is any heap whose 
domain is the singleton set {Esem E s}. 

| E i-»_ = 3A. E i-A X (where X does not occur in E) | 

Using the semantics of “3A” given earlier, and assuming that if X doesn’t 
occur in E then Esem E (s [v/A]) = Esem E s, we have: 

SSsem (E i-> _) (s, h) 

= SSsem (3X. E ^ X) (s, h) 

= 3v. SSsem (E X) (s[v/X],h) 

= 3v. (Esem E ^ Esem X) (s [n/A], h) 

= 3v. (dom h = {Esem E (s[v/A])}) A 

(h(Esem E (s[u/A])) = Esem A (s[u/A])) 

= 3v. (dom h = {Esem E s}) A (h(Esem E s) = v) 

= (dom h = {Esem E s}) A 3v. h( Esem E s) = v 
= (dom h = {Esem E s}) AT 
= (dom h = {Esem E s}) 

which shows that E i-> _ is true of a state (s, h) when h is any heap whose 
domain is {Esem E s}. 

The separating conjunction operator * defined below can be used to com¬ 
bine points-to assertions to specify heaps with bigger (i.e. non-singleton) 
domains. 




7.3. Separation logic assertions 


107 


7.3.2 Separating conjunction: P*Q 

Before defining the semantics of P * Q we need some preparatory definitions 
concerning the combination of heaps with disjoint domains. 

If hi and h 2 are heaps then define Sep hi h 2 h to be true if and only if 
the domains of hi and h 2 are disjoint, their union is the domain of h and 
the contents specified by h of a location l E dom h (i.e. h l) is the contents 
specified by hi (i.e. hi l) if l E dom hi and is the contents specified by h 2 
(i.e. h 2 l) if l E dom h 2 . This is perhaps clearer when specified formally: 

Sep hih 2 h = 

((dom hi) n (dom h 2 ) = {}) 

A 

((dom hi) U (dom h 2 ) = (dom h)) 

A 

Ml e dom h. h l = if l E dom hi then hi l else h 2 l 
The relation Sep hi h 2 h is usually written h, * h 2 = h, where * is a partial 
operator that is only defined on heaps with disjoint domains. 

If (dom hi) fl (dom h 2 ) = {}, then hi * h 2 is defined to be the union of hi 
and h 2 , i.e.: 

\/l E (dom hiU dom h 2 ). (hi*h 2 ) l = if l E dom hi then hi l else h 2 l 
Separating conjunction also uses the ^-symbol, but as an operator to 
combine separation properties: P * Q is true in state (s, h) if there exist hi 
and h 2 such that Sep hi h 2 h and P is true in state (s, hi) and Q is true in 
(s, h 2 ). We first define a semantic version: p*q where p and q are predicates 
on states and then define the specification combining operator using this. 

( p-kq ) (s,h) = 3hi h 2 . Sep hi h 2 h A p (s,hi) A q ( s,h 2 ) 

SSsem ( P*Q) = (SSsem P) * (SSsem Q) 

Note that the symbol * is used with three meanings: to combine heaps 
(hi *h 2 ), to combine semantic predicates {p-kq) and to combine separation 
statements ( PkQ ). 

Example 

The assertion X i—>• 0 X+l i—>• 0 is true of the heap {20 i—>• 0,21 i—>■ 0} if X has 
value 20 in the store. 

Abbreviation 

The following notation defines the contents of a sequence of contiguous loca¬ 
tions starting at the value of E to hold the values of F 0 ,... ,F n . 
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| E^+F 0 ,.. 

•, F n - (E^F 0 )4---4(E+n^F n ) || 


Example 

X 1-4 Y, Z specifies that if l is the value of X in the store, then heap locations 
l and l+l holds the values of Y and Z, respectively. 

We can also define a ‘semantic’ version of the notation which operates on 
functions: 


eH/ 0 ,...,/„ = (e 1-4 / 0 ) * ■ ■ ■ * ((As. (e s)+ra) H- f n ) 

SSsem (Et+Fch ■ ■ ■, F n ) — Esem E 1-4 (Esem F 0 ),..., (Esem F n ) 


7.3.3 Empty heap: emp 

The atomic property emp is true in a state (s, h) if and only if h is the empty 
heap (i.e. has empty domain). 


emp (s,h) = (dom h = {}) 
SSsem emp = emp 


Example 

If P is a classical property (i.e. doesn’t depend on the heap) then the formula 
P A emp is true iff P holds and the heap is empty. 

Abbreviation 

We define E = F to mean that E and F have equal values and the heap is 
empty. We also define a semantic version. 


(e = /) = A(s, h). (e s — f s) A (dom h = {}) 

(E = F) — (E — F) A emp 


From these definitions it follows that: 

SSsem (E = F) = ((Esem E) = (Esem F)). 

It also follows from the semantics that: 

Vs h. SSsem ((E = F) * F) (s, h) = 

(Esem E s — Esem F s) A Ssem P (s, h) 

Using lifted A notation, we can write: (e = /) *p = (e = /) Ap . 
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7.3.4 Separating implication: P -* Q 

P -* Q is true in a state (s, h) if whenever P holds of a state (s, h'), where 
h! is disjoint from h then Q holds for the state (s, h * h') in which the heap 
h is extended by h!. 

(p -* q) (s, h ) = Vh' h". Sep h h! h" A p ( s, h!) =$■ q (s, h") 

SSsem (P -* Q) — (SSsem P ) (SSsem Q) 

We do not use separating implication here, but are mentioning it as it is 
a standard part of separation logic. 

7.3.5 Formal definition of linked lists 

If a is a list (e.g. [a, b, c]) and e is the meaning of an expression (i.e. a 
function from stores to values) then list a e (s, h) is defined to mean that a 
is represented as a linked list in the heap h starting at the location specified 
by e s. The definition is by structural recursion on a: 

list [] e = (e = nil) 

list ([a 0 , ai,..., a n ]) e = 3e'. (e (->• a 0 , e') * list [ai,..., a n ] e' 

Let List [X] be the set of lists whose elements are in X. The meaning of 
List[X] is somewhat analogous to the meaning of the regular expression X*. 
Here is type of the function list: 

list : List[Val] —>■ (Store —> Val ) —> State —> Bool 

The definition of list above defines a semantic operator. We also use list to 
formulate separation properties. 

| SSsem (list a E) = list a (Esem E) ] 

where the occurrence of list on the left of this definition is part of the speci¬ 
fication language and the occurrence on the right is the semantic operator. 

Recall the informal Hoare triple given earlier to specify the list reversing 
function. 

{X points to a linked list holding « 0 } 

Y:=nil; 

WHILE -.(X = nil) DO (Z: = [X+1] ; [X+l] :=Y; Y:=X; X:=Z) 

{ Y points to a linked list holding rev(cc 0 )} 





110 


Chapter 7. Pointers and Local Reasoning 


Using separation logic this can be formalised as: 

{list a 0 X} 

Y :=nil; 

WHILE -.(X = nil) DO (Z: = [X+1]; [X+l] :=Y; Y:=X; X:=Z) 

{list (rev(o!o)) Y} 

and the invariant for the WHILE-loop turns out to be: 

da ft. list a X* list ft Y A (rev(a:o) = rev(ce) • ft) 
where is the list concatenation operator (later we also use it for list ‘cons’). 


7.4 Semantics and separation logic 

In this section we give both semantics for the extended programming lan¬ 
guage and for Hoare logic axioms and rules for reasoning about it. 

As heap operations may fault, we define the set Result of results of com¬ 
mand executions to be: 

Result = State U {fault} (where it is assumed that fault ^ State) 
and then the semantic function for commands, Csem, will have the more 
general type: 

Csem : Com —>• State —> Result — > Bool 
and now Csem C (s, h ) r will mean that if C is started in state (s, h) then r 
is a possible result. As mentioned earlier, we assume that expressions do not 
depend on the heap, only on the store. We also assume this about classical 
statements. Furthermore, the evaluation of neither of these can fault, thus 
we redefine: 

Esem : Exp —>■ Store — »■ Val 
Ssem : Sta —>• Store —> Bool 

For comparison, here are the various types and semantic functions for the 
previous simple semantics and then for the new heap semantics. 

Simple semantics (state maps variables to values) 

State =Var —>■ Val 

Esem : Exp —>• State —> Val 
Ssem : Sta —> State —> Bool 
Csem : Com —y State —>• State —» Bool 
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Heap semantics (state is store and heap) 

Store = Va/r -4 Val (assume Num C Val, nil e Val and nil ^ Num) 

Heap = Num —‘■fm Val 
State = Store x Heap 

Result = State U {fault} (assume fault ^ State) 

Esem : Exp -4 Store -4 Val 

Ssem : Sta -4 Store -4 Bool (classical statements) 

SSsem : Sta -4 State -4 Bool (separation statements) 

Csem : Com -4 State -4 Result -4 Bool 

The meaning of Hoare triples {P} C' {Q} is subtly, but very significantly, 
different for separation logic: it is required that for the triple to be true the 
execution of C in a state satisfying P must not fault , as well as Q holding in 
the final state if execution terminates. Formally, the semantics of {P} C {Q} 
for separation logic is SHsem P C Q , where: 

SHsem P C Q = 

Vs h. SSsem P (s, h) 

=> 

-■(Csem C (s, h) fault) A Vr. Csem C (s, h) r SSsem Q r 
The function SHsem has type Sta -4 Com -4 Sta -4 Bool. It is useful to 
define a semantic function shsem so that: 

SHsem P C Q = shsem (SSsem P) (Csem C) (SSsem Q) 

The definition is just: 

| shsem p c q = Vs h. p(s, h) -i(c (s, h) fault) A Vr. c (s, h) r =t gr ] 
The type of shsem is: 

(State -4 Bool ) -4 (State -4 Result -4 Bool) -4 (State -4 Bool) -4 Bool 
There are two reasons for the non-faulting semantics of Hoare triples: 

(i) to support verifying that programs do not read or write locations not 
specified in the precondition - i.e. memory safety; 

(ii) the non-faulting semantics is needed for the soundness of the crucial 
Frame Rule for local reasoning, which is discussed later. 

Non-faulting should not be confused with non-termination: the non-faulting 
requirement is a safety property (“nothing bad happens”) not a liveness prop¬ 
erty (“something good happens”). Separation logic can straightforwardly be 
extended to total correctness - a liveness property - but we do not do this. 
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The semantics we give here is equivalent to the large-step operational se¬ 
mantics of Yang and O’Hearn [25, Table 2], but presented in the denotational 
style used in Chapter 4 for the simple language. With the semantics given 
here, proofs are done by structural induction for loop-free commands plus 
mathematical induction for WHILE-commands. With an operational seman¬ 
tics, the equivalent same proofs are done using rule-induction. 

For each construct we give the semantics followed by the separation logic 
axiom schemes or rules of inference. It is only the axiom schemes for the 
atomic commands that read or modify the heap that are new. The rules 
for sequences, conditionals and WHILE-commands remain the same (the non¬ 
faulting semantics makes their soundness justification slightly more complex). 

7.4.1 Purely logical rules 

From the definition of SHsem it follows that the rules of consequence, i.e. pre¬ 
condition strengthening and postcondition weakening are sound by logic 
alone: their soundness doesn’t depend on the semantics of commands. 


Rules of consequence 

F P =k P', F {P'} C {Q} 
h {P} C {«} 

I- {P} C {Q-}, h g' => Q 
h {P} C {«} 


Another rule that follows from the definition of SHsem (and also from 
that of Hsem) is the following. 


Exists introduction 

F m c {Q} 

F {3x. P} C {3x. Q} 
where x does not occur in C 


Although valid for ordinary Hoare logic, this is not much use there. However, 
it is very useful in separation logic, as we shall see in Section 7.8. 





7.4. Semantics and separation logic 


113 


7.4.2 Semantics of store assignments 

Store assignments V: =E were in the earlier language without pointers. They 
ignore the heap and always succeed. 

| Csem {V : =E) (s, h) r = (r = (s [(Esem E s)/V\ ,h)) \ 

Note that s here ranges over stores not states, thus in the above semantic 
equation: s <G Store, h <G Heap, (s, h) e State and r e Result. 

7.4.3 Store assignment axiom 

First recall the classical Hoare assignment axiom scheme: 
b {Q IE/VI }V:=E{Q} 

Although this is sound for separation logic, it is not the axiom usually given 
[26] - a ‘small’ Floyd-style forward axiom is used instead. This style of axiom 
is also used for all the axioms below. Perhaps the reason for this forward 
‘strongest postcondition’ style is because it connects more directly with sym¬ 
bolic execution, which is a technique widely used by program analysis tools 
based on separation logic. 


Store assignment axiom 

b {V - v} Vi=E{V - Elv/V] } 
where v is an auxiliary variable not occurring in E. 


Note that the meaning of = forces any state for which the precondition is 
true to have an empty heap. Store assignments do not fault, so this is sound. 

If V does not occur in E, then, as (V = V) = emp and EIV/V1 = E it 
follows that the following is a derived axiom: 

b {emp} V :=E {V = E} (where V doesn’t occur in E) 

Another derived axiom is obtained using the exists introduction rule to 
obtain the following from the store assignment axiom: 

b {3v. V = v}V:=E {3v.V = Elv/V]} 

The precondition of this is emp. This follows from the definitions of — and 
lifted quantification: 
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(3v. V = v)(s,h ) = 3v. (s V — v s) A (dom h = {}) 

The statement 3v. (s V — vs) is true - to see this take v to be As. s V - 
hence (3v. V = v) — emp and so the following is a derived axiom: 

h {emp} V:=E {3v. V = Elv/Vl} (where v doesn’t occur in E) 

7.4.4 Semantics of fetch assignments 

Fetch assignments change the store with the value of a location in the heap, 
faulting if the location is not in the heap. They do not change the heap. 

Csem (F : = [£]) (s,h) r = 

(r = if Esem E s & dom(h) then (s [h(Esem E s)/Esem E si, h) else fault) 

In the above semantic equation: s E Store, h E Heap, ( s, h ) e State and 
r G Result. 

7.4.5 Fetch assignment axiom 

Fetch assignment axiom 

b {(V = Vl ) A E ^ v 2 } V : = [E1 {{V = v 2 ) A E MV1 ^ v 2 } 
where v\, v-i are auxiliary variables not occurring in E. 

Like the store assignment axiom above, this is best understood as describing 
symbolic execution. Note that the precondition requires the heap to contain 
a single location given by the value of E in the store and whose contents is V 2 - 
After the fetch assignment, the variable V has the value V 2 in the store and the 
heap is unchanged (because the value of E[v\/Vl in the postcondition state 
is the same as the value of E in the precondition state). The precondition 
ensures that the fetch assignment won’t fault since the value of E is specified 
by E v 2 to be in the heap. 

7.4.6 Semantics of heap assignments 

Heap assignments change the value of a location in the heap, faulting if the 
location is not in its domain. The store is unchanged. 

Csem ([Eil : =E 2 ) (s, h) r = 

(■r = if Esem E'i s-E dom(h) then (s,h[ Esem E 2 s/Esem E x s]) else fault) 
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7.4.7 Heap assignment axiom 

Heap assignment axiom 

b {£^-} IE] :=F{E^F} 


This is another forward symbolic execution style axiom. The precondition 
asserts that domain of the heap consists of the value of E in the store and 
thus the heap assignment does not fault. 

7.4.8 Semantics of allocation assignments 

Allocation assignments change both the store and the heap. They non- 
deterministically choose n contiguous locations, say l , /+1 ,..., l+(n—1 ), that 
are not in the heap (where n is the number of arguments of the cons) and 
then set the contents of these new locations to be the values of the arguments 
of the cons. Allocation assignments never fault. 


Csem (V :=cons(A'i- • • • , E n )) (s, h) r — 

31. I ^ dom(h) A • • • A l+(n— 1) ^ dom(h) A 

(r = (s U/V] , h [Esem E, s/l] ■ ■ ■ [Esem E n s/l+(n- 1)])) 


This is non-deterministic because Csem (V :=cons(£'i,..., E n )) ( s,h ) r is 
true for any result r for which the right hand side of the equation above 
holds. As the heap is finite, there will be infinitely many such results. 

7.4.9 Allocation assignment axioms 

Allocation assignment axioms 

b {l/ = u}l/:=cons(£i,...,£ n ) {V ^ E x lu/V] ,..., E n lv/V] } 

where v is an auxiliary variable not equal to V. 

b {emp} V :=cons(£'i,..., E n ) {V ■ ■ ■, E n } 

where V is an auxiliary variable not occurring in E lr . .,E n . 
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These are also forward symbolic execution style axioms - but they are non- 
deterministic. The preconditions assert that the heap is empty. In the first 
axiom, the precondition also specifies that V has value v in the store. The 
postconditions use the abbreviation in Section 7.3.2 for specifying a contigu¬ 
ous chunk of memory and asserts that the domain of the heap is n contiguous 
locations which contain the values of Ei,- ■ ■ ,E n in the precondition store. No¬ 
tice that this axiom does not determine that value of V after the assignment 
- so is non-deterministic - it merely requires that V points to any location 
not in the heap before the command is executed. 

7.4.10 Semantics of pointer disposal 

Pointer disposals deallocate a location by deleting it from the heap’s domain, 
faulting if the location isn’t in the domain. The store is unchanged. 


Csem (dispose (E)) ( s,h ) r — 

(r = if Esem C s e dom(h) then (s, h-(Esem E s)) else fault) 


7.4.11 Dispose axiom 

Dispose axiom 
h {E i—^ _} dispose (E) {emp} 


Requires the heap to contain only one location and then deallocates it re¬ 
sulting in the empty heap. 

7.4.12 Semantics of sequences 

If neither C\ nor C 2 faults then the semantics of C\ ; C' 2 is as before. If either 
Ci or C 2 faults, then so does Ci ; C' 2 . 


Csem (Ci; C' 2 ) (s,h) r = 
if (3s' h'. r = ( s',h ')) 

then (3s' h!. Csem Ci (s, h) (s', h') A Csem C 2 (s', h ') r) 
else ((Csem Ci (s,h) r A (r = fault)) 

V 

3s' h!. Csem Ci (s, h) (s', h') A Csem C 2 (s', h') r A (r = fault)) 
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7.4.13 The sequencing rule 

The sequencing rule is unchanged for separation logic. Note that if the 
hypotheses are true, then there is no faulting. 

The sequencing rule 

I- {f} Cl {<3}, I- {<3} C 2 w 

1- {P} c i; c 2 {fl} 

The proof of soundness of the sequencing rule is straightforward. The argu¬ 
ment is similar to the one given for simple Hoare logic in Section 4.2 with 
some additional arguments to handle faults. One proves: 

Vp q r ci c 2 . 

shsem p <q r A shsem r c 2 q 
=> 

shsem p (A(s, h) r. 3s' h'. c\ (s, h) (s', h!) A c 2 (s', h!) r) q 
where shsem is the semantic function representing the meaning of separation 
logic Hoare triples which was defined on page 111. 

7.4.14 Semantics of conditionals 

The semantics of conditionals is as before (see Section 4.1.2). 

Csem (IF S THEN C x ELSE C 2 ) (s, h) r = 

if Ssem S s then Csem C\ (s, h ) r else Csem C 2 (s, h) r 


7.4.15 The conditional rule 

The conditional rule is unchanged. 

The conditional rule 

b {P A S'} Ci {Q}, b {P A -.5} C 2 {Q} 
b {P} IF S THEN Cl ELSE C 2 {Q} 

The proof of soundness of the conditional rule is straightforward. One proves: 
\/p qb ci c 2 . 

shsem (p A b) Ci q A shsem (p A ->b) c 2 q 
=> 

shsem p (A(s, h) r. if b(s, h) then C\ (s, h) r else c 2 (s, h) r ) q 
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Notice that in (jp A b ) and (p A ~>b) the conjunction A and negation -i are 
lifted (see page 105). 

7.4.16 Semantics of WHILE-commands 

The semantics of WHILE-commands is similar to the one given in Section 4.1.2 
except that if a fault arises during the execution then the iteration aborts 
with a fault. 

|Csem (WHILE S DO C) ( s,h ) r = 3n. Iter n (Ssem S) (Csem C) ( s,h ) r ] 
The function Iter is redefined to handle faulting: 

Iter 0 p c (s, h) r = -<(p s) A (r = (s, h)) 

Iter (n+1) p c (s,h) r = 
p s A (if (3s' h'. r — ( s'h ')) 

then (3s' h'. c(s, h)(s'h') A Iter n p c (s', h') r) 
else ((c (s, h) r A (r = fault)) 

V 

3s' h!. c (s, h ) (s', h') A Iter n p c (s', h') r A (r = fault))) 

The type of Iter is: 

Iter: Num^ (Stored Bool) ( State—tR.esul Bool) —Stated Result—Bool 

7.4.17 The WHILE-rule 

The WHILE-rule is unchanged. 

The WHILE-rule 

h {PAS}C{P} 
h {P} WHILE S DO C {P A S} 

The semantics of WHILE commands is dehned in terms of the function Iter. 
The following two lemmas about Iter are straightforward to prove by induc¬ 
tion on n. 

shsem (p A b) c p Vn s h. p(s, h) — >(lter n b c (s, h ) fault) 

shsem (pAb) cp 
=> 

Vn s h s' h'. p(s, h ) A Iter n b c (s, h) (s', h') => p(s', h') A _i (5(s', h')) 
Notice that in (jpAb) the conjunction A is lifted. The soundness of the WHILE 
rule follows easily from these lemmas. 
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7.5 The frame rule 

The frame rule is the key rule of separation logic. The motivation given 
here is based on the account in Reynolds’ notes [23]. The purpose of the 
frame rule is to enable local reasoning about just those locations that a 
command reads and writes to be extended to uninvolved locations, which 
are unchanged. How to handle this gracefully is the so called frame problem 
that was identified 50 years ago as a problem in using logic to model actions 
in artificial intelligence. 2 

The following rule, which Reynolds calls the rule of constancy, holds in 
the simple language without a heap (the proof is by structural induction on 
C ). A variable V is said to be modified by C is it occurs on the left of : = 
in a store, fetch or allocation assignment in C (variables on the left of heap 
assignments are not modified). 


The rule of constancy 

t { p }C{Q} 

h {P A R] C IQ A R] 

where no variable modified by C occurs free in R. 

this is not valid for heap assignments because although by the heap assign¬ 
ment axiom: 

b {X^_} [X] : =0 {X i—>• 0} 
the following is not true (since X = Y is a possibility): 

{X^_ A Y i—>• 1} [X] : =0 {X i—>• 0 A Y (->• 1} 

They key insight, attributed to O’Hearn by Reynolds, is to use * instead of 
A to ensure that the added assertion R is disjoint from P and Q. This gives 
rise to the frame rule below: 

The frame rule 

t { p }g{Q> 

h {P*R}C {Q*R} 

where no variable modified by C occurs free in R. 

2 http://en.wikipedia.org/wiki/Frame_problem 
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In the frame rule a variable V is said to be modified by C is it occurs on the 
left of : = in a store, fetch or allocation assignment in C. 

The proof that the frame rule is sound is quite tricky and depends on the 
no-faulting semantics of Hoare triples. The key lemmas are Monotonicity: 

VC s h 0 hi h 2 . 

-■(SHsem C ( s , h 0 ) fault) A Sep h 0 hi h 2 => -■(SHsem C (s, h 2 ) fault) 

and The Frame Property: 

VC s s' ho hi h 2 h!. 

-■(SHsem C (s, h 0 ) fault) A SHsem C (s, h 2 ) (s', h') A Sep h 0 hi h 2 
3h' 0 . SHsem C (s, hO) (s', h' 0 ) A Sep h' 0 hi h! 

For further details of what these lemmas mean and why they are key to 
the soundness of the fame rule see the original paper [25]. Notice that in 
these two lemmas the quantification is over commands C, not over arbitrary 
functions c : State —>• Result —> Bool. This is because the lemmas do not 
hold for arbitrary functions, only for functions that are the meaning of com¬ 
mands (e.g. for Csem C). Abstract separation logic assumes these lemmas 
as axioms and then develops a generalised version of separation logic that 
can be instantiated to different models of states. The original paper on ab¬ 
stract separation logic [30] provides more details. See also recent research 
by Thomas Tuerk [31] on using abstract separation logic as a framework for 
building mechanised program verification tools. 


7.6 Example 

The informal Hoare triple: 

{contents of pointers X and Y are equal} X: = [X] ; Y: = [Y] {X = Y} 
can be formalised as 

{3v. X^u*Y^v} X: = [X] ; Y: = [Y] {X = Y} 

By the fetch assignment axiom: 

h {(X = x) A X i-4 v} X: = [X] {(X = v) A x (->• v} 
b {(Y = y) AY^u}Y: = [Y] {(Y = u) Ay^v} 

By the frame rule: 
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b {((X = r)AX4r)i((Y = j/)AY^«)} 

X: = [X] 

{((X = v) A x ^ v) * (((Y = y) AYK u))} 

h {((Y = y) A Y i-» v) * ((X = v) A x i-A n)} 

Y: = [Y] 

{((Y = n) A y (->• v) * ((X = v) A x i-A n)} 

Hence by the sequencing rule and the commutativity of the * operator (see 
next section): 

b {((X = x) A X i—>■ v) * ((Y = j/) A Y K u)} 

X: = [X] ;Y: = [Y] 

{((X = v) A x (->• v) * ((Y = v) A y (->• n)} 

Next use the exists introduction rule three times to get: 
h {3u x y. ((X = x) A X i-A v) * ((Y = y) A Y i-A v)} 

X: = [X] ; Y: = [Y] 

{3v x y. ((X = v) A x (->• v) * ((Y = v) A y (->• n)} 

The following implications are true (we say more on why later): 

(3v. X i-A v * Y i-A v) =k x ?/• ((X = x) A X i-A n) * ((Y = y) A Y i-A v) 
(3n x y. ((X = v) A x (->• u) * ((Y = v) A ?/ 1 -> v)) => (X = Y) 

Hence by the rules of consequence: 

h {3u. X^mYhh;} X:®M ; Y: = [Y] {X = Y} 

This proof seems rather heavy for such a trivial result, but, as we have seen 
for simple Hoare logic, derived rules and automation can eliminate most of 
the fine details. In the next section we say more about proving formulae like 
the two implications we used with the rules of consequence in the last step. 

7.7 The logic of separating assertions 

In simple Hoare logic the assertion language consists of standard predicate 
calculus formulae and thus the standard deductive system of predicate logic 
can be used to prove formulae, e.g. when needed for applying the rules of 
consequence. Alternatively one can take a semantic view and regard asser¬ 
tions as predicates on the state and then just use ‘ordinary mathematics’ to 
prove assertions. 

In separation logic there are additional operators such as * and i-A which 
are not part of standard logic. One can try to develop a deductive system 
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for such operators and then prove properties of the assertions, but (as far as 
I know, e.g. [28]) there is no complete deductive system for such assertions. 
One can accumulate a collection of ad hoc rules for doing proofs, but, as 
Reynolds says in his notes [23] these are likely to be “far from complete”, 
though they might be good enough for most examples that come up in prac¬ 
tice. In the last section it was asserted that the following two implications 
were true: 

(3u. X i —y v *Y i —y u) 3v x y. ((X = x) A X i-» v) * ((Y = y) A Y i-A v) 

(3u x y. ((X = v) A x (->• v) * ((Y = v) A y (->• v)) =>■ (X = Y) 

To verify that these are true one must show that they hold for all states (s, h) 
- i.e. that Vs h. SSsem P (s, h). One could just prove this directly from the 
definitions, but an alternative is to use derived laws for the separation logic 
operators to prove the assertions ‘algebraically’. For example, the following 
equations can be derived from the definition of * (see Section 7.3.2): 

3x. Pi* P 2 = P\* (3x. P 2 ) (when x not free in Pi) 

3x. Pi*P 2 = (3.r. Pi) * P 2 (when x not free in P 2 ) 

hence: 

3v x y. ((X = x) A X v) * ((Y = y) A Y i-» v) 

= 3v. (3x. (X = x) A X i-> v) * (3y. (Y = y) A Y !->• v) 

= 3v. ((3x. X = x) A X i-> v) * ((3y. Y = y) A Y i-» v) 

= 3v. (T A X v) * (T A Y v) 

= 3v. X v * Y i->- v 

This establishes the first implication (actually it establishes a stronger result: 
an equation rather than an implication). 

To prove the second implication, first start by a similar calculation to the 
one above: 

(3v x y. ((X = v) A x (->• v) * ((Y = v) A y (->• v)) 

= 3v. ((X — v) A (=h. x (->• n)) * ((Y = v) A (3y. y (->• v)) 

We say a property is heap independent if it doesn’t depend on the heap. The 
classical statements discussed in Section 7.3 are heap independent. Semanti¬ 
cally P is heap independent iff Vs h\ h 2 - P(s, hi) = P(s, h 2 ). The following 
law is then true: 


((Pl A Qi ) * (P 2 A Q 2 )) (Pi A P 2 ) (Pi, P 2 heap independent) 
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The values of variables don’t depend on the heap, so both X = v and Y = v 
are heap independent. Thus: 

(3v. ((X = v) A (3x. xi ->v))* ((Y — v) A (3y. y v))) 

=$> 3v. (X = v) A (Y = v) 

=>■ X = Y 

This completes the proof that: 

(3v x y. ((X = v) A x v) * ((Y = v) A y (->■ v)) => (X = Y) 

7.8 The list reversal program 

In this section we take a preliminary look at the list reversing program dis¬ 
cussed earlier. Further details (e.g. a full proof) may be added to a future 
version of these notes. A proof outline can be found in Reynolds notes [23]. 
The Hoare triple to be proved is: 

{list ocq X} 

Y:=nil; 

WHILE -.(X = nil) DO (Z: = [X+l] ; [X+l] :=Y; Y:=X; X:=Z) 

{list (rev(a 0 )) Y} 

We previously mentioned that is the list concatenation operator (we will 
also write a ■ a for the result of ‘consing’ an element a onto a). The invariant 
given by Reynolds in his notes is: 

3a /3. list a X* list fi Y A (rev(ao) = rev(a) ■ /?) 

We need to show that: 

1. this holds just before the loop is entered; 

2 . it is indeed an invariant; 

3. with the loop exit condition X = nil it implies list (rev(ao)) Y. 


| What follows has not been fully checked and may contain errors! | 

To show 1 we need to prove: 

{list cc 0 X} Y: =nil {3a /3. list aX* list /3 Y A (rev(a 0 ) = rev(a) ■ 0)} 

By the store assignment axiom: 
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b {Y = v}Y:=nil{Y = nil [v/Y] } 
hence, as Y doesn’t occur in nil: 
b {Y = v}Y:=nil{Y = nil} 

By the definition of list (base case): list [] e = (e = nil) 
b {Y = v}Y:=nil{list [] Y} 

By the frame rule (and commutativity of *): 

b {list a 0 X*(Yi v)} Y:=nil {list a 0 X* list [] Y} 

Clearly rev(a 0 ) = rev(a 0 ) • [], so: 

b {list a 0 X* (Y = v)} Y:=nil {list a 0 X* list [] Y A (rev(a 0 ) — rev(a 0 ) ■ [])} 

By exists introduction (see Section 7.4.1): 

b {3v. list a 0 X * (Y = v)} Y:=nil {3u. list a 0 X* list [] Y A (rev(a 0 ) = rev(a 0 ) • □)} 
Let us assume the following two purely logical implications: 

(Pl.l) b list a 0 X => 3v. list a 0 X * (Y = v) 

(PI. 2) b (zb. list a 0 X*list [] Y A (rev(aio) = rev(a 0 ) • □)) 

(3a (3. list a X* list /3 Y A (rev(a 0 ) = rev(a) • /?)) 

From Pl.l and PI.2, the result of exists introduction above and the conse¬ 
quence rules: 

{list a 0 X} Y:=nil {3a (3. list a X* list (3 Y A (rev(a 0 ) = rev(a) • f3)} 
which is 1. 

To show 2 we need to prove: 

{(3a fi. list a X * list f3 Y A (rev(a 0 ) = rev(a) • /?)) A ->(X = nil)} 

Z: = [X+l]; [X+l] : =Y; Y: =X; X: =Z 
{3a (3. list a X * list f3 Y A (rev(a 0 ) = rev(a) • (3)} 
which we do by proving the following three statements and then using the 
Sequencing Rule. 

{(3a /3. list a X * list (3 Y A (rev(a 0 ) = rev(a) • f3)) A ->(X = nil)} 

Z: = [X+l] 

{3a a /3. X (->• a, Z * list aZ* list (3 Y A (rev(a 0 ) = rev(a • a) • /3)} 

{3a a j3. X !->• a, Z * list aZ* list (3 Y A (rev(a 0 ) = rev(a • a) • /3)} 

[X+l]:=Y 

{3a /3. list aZ* list j3 X A (rev(a 0 ) = rev(a) • /3)} 
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{3a p. list a Z ^ list ft X A (rev(a 0 ) = rev(a) • ft)} 

Y: =X; X: =Z 

{3a; p. list a X* list P Y A (rev(a 0 ) = rev(a) • /3)} 

The last of these follows by two applications of the ordinary Hoare assignment 
axiom and the sequencing rule. The first two are more tricky, and require 
the fetch and heap assignment axioms, respectively. Recall: 

Fetch assignment axiom 

b {(V = v 1 )AE^v 2 }V: = tEl {(V = v 2 ) A E MV] ^ v 2 } 
where iq, v 2 are auxiliary variables not occurring in E. 

The instance of this we need is: 

b {(Z = ui) AX+1 H- v 2 } Z: = [X+1] {(Z = v 2 ) A X+l [iq/Z] H- v 2 } 

As Z does not occur in X+l we have X+l [rq/Z] = X+l. The variable v\ serves 
no useful role here, so we can eliminate it by instantiating it to Z. We also 
rename the logical variable v% to l. Thus: 

b {X+l /} Z: = [X+l] {(Z = I)AX+14l) 

This is a local property just describing the change to a one-element heap 
(containing X+l). From this, we must somehow deduce a global property 
about the whole list. Let : 

R = X i-4a* list a' l * list P Y A (rev(a 0 ) = rev(a • a') • p) A -i(X = nil) 

The process of finding this R is related to abduction, a kind of frame inference 
that is a hot topic in recent research [4], By the frame rule, followed by 
repeated applications of the exists rule: 

b {3a P a l a'. X+l H- 1 * R} Z: = [X+l] {3a P a l a'. (z = l)AX+14b R} 
From this we need to deduce: 

b {(3a p. list a X* list P Y A (rev(a 0 ) = rev(a) • p)) A -i(X = nil)} 

Z: = [X+l] 

{3a a p. X i-A a, Z * list aZ* list P Y A (rev(a 0 ) = rev(a • a) • P)} 
which can be done using the consequence rules if P2.1 and P 2.2 below hold: 
(P2.1) b (3a p. (list aX* list P Y A (rev(a 0 ) = rev(a) • P)) A ->(X = nil)) 
=J> 3 a P a l a', (x+l i-A /) + P 

(P2.2) b (3a P a l a', ((z = l) A X+l i->• Z) * P) 

3a a p. X i-A a, Z * list aZ* list P Y A (rev(a 0 ) = rev(a • a) • P) 
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These are purely logical properties (in the assertion language of separation 
logic). Their proof uses the definition of the list predicate list and logical 
reasoning. Recall the list predicate: 



Arguing informally: from list a X and -i(X = nil) it follows that for some 
value a and a' we have a = a-a'. From this rev(a:o) = rev(a ■ a') ■ /3 and from 
list a X there exists a location l such that X 1-4 a, X+l 1 - 4 1 and list a 1 l. Thus: 

h (list a X * list P Y A (rev(cc 0 ) = rev(a) • f3)) A -t(X = nil) 

=> 

((3a l a'. 

X i-4 a* X+l l * list a' l * list /3 Y 

A (rev(ao) = rev (a • a') ■ (3)) A -i(X = nil)) 

The first of the two needed logical properties follows from this using some 
quantifier movement and the commutativity of *. The second property re¬ 
quires the list predicate to be unfolded. 

This concludes a sketch of the proof of the first Hoare triple: 

{(3a: [3. list a X * list f3 Y A (rev(a:o) = rev(a:) • /?)) A ->(X = nil)} 

Z:=[X+l] 

{3a a (3. X 1-4 a, Z* list « Z* list (3 Y A (rev(a:o) = rev(a • a) ■ P)} 

The remaining Hoare triple is: 

{3a a f3. X 4a,Z* list « Z* list f3 Y A (rev(a:o) — rev(a • a) ■ ft)} 

[X+l]:=Y 

{3a: p. list a Z* list P X A (rev(a:o) = rev(a:) • P)} 

To prove this we need the heap assignment axiom: 
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Heap assignment axiom 
b {P^_} IE] : =F {E i-> F} 

The appropriate instance is: 

b {3v. X+l eA v} [X+l] : =Y {X+l Y} 

By inventing a suitable frame, application of the frame rule and some logical 
fiddling, including using the definition of list, one deduces from this: 

h {3a a 0 X i-» a, Z * list a Z * list (3 Y A (rev(a 0 ) = rev (a • a) ■ (3)} 

[X+l] :=Y 

{3a a /3. X i-A a, Y * list a Z * list f3 Y A (rev(a 0 ) = rev(a • a) ■ (3)} 
and then one gets the desired result by postcondition weakening using: 

(P2.3) h (3a a /3. X i-A a, Y * list a Z * list (3 Y A (rev(a 0 ) = rev(a • a) • 0)) 

(3a 0 list a Z* list (3 X A (rev(a 0 ) = rev(a) • /?)) 
which is proved by hrst proving: 

(P2.3.1) h (3a a 0 X i-> a, Y + list a Z * list f3 Y A (rev(a 0 ) = rev(a • a) • /?)) 
=^> 

(3a a 0 list a Z + list (a • 0) X A (rev(a 0 ) = rev(a) • a • /3)) 

and then proving 

(P2.3.2) T (3a a 0 list a Z + list (a ■ /3) X A (rev(a 0 ) = rev(a) • a • j3)) 

(3a 0 list aZ* list (3 X A (rev(a 0 ) = rev(a) • ^)) 
and then using the transitivity of implication (=£►). 

Finally, to show 3 (i.e. invariant and loop exit condition X=nil implies 
list (rev(a 0 )) Y) we need to prove property P3, where: 

(P3) h (3a 0 list a X* list f3 Y A (rev(a 0 ) = rev(a) • /?)) A (X = nil) 

list (rev(a 0 )) Y 

Which, again, is fiddly pure logic using the definition of the list predicate 

list. 

Proofs like the one sketched above, are normally shown as ‘proof outlines’ 
which are a similar to annotated programs. Reynolds’ proof outline for the 
list reversing example [23] is (with some renaming of variables and other 
minor changes): 
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{list a 0 X} 

Y:=nil; 

{3a 13. list a X* list (3 Y A (rev(a 0 ) = rev(a) • ft)} 

WHILE —> (X=nil ) DO {3a (3. list a X* list j3 Y A (rev(a 0 )=rev(a) • /3)} 

({3o; /3. list a X * list /3 Y A (rev(a 0 )=rev(a) • (3) A —>(X=nil)} 

{3a f3 a l a'. 

(x+1 (->• Z) * X i-» a * list a' l * list [3 Y A (rev(a 0 )=rev(a • a') • /3) A -i(X=nil)} 

Z: = [X+1] ; 

{3a f3 a l a'. 

((Z=Z) A X+1 1 -» Z) * X (->• a * list a' l * list /3 Y A (rev(a 0 )=rev(a • a') • /3) A —>(X=nil)} 
{3a a (3. X i-> a, Z * list aZ* list (3 Y A (rev(a 0 ) = rev(a • a) • (3)} 

[X+1]:=Y; 

{3a a (3. X i-> a, Y * list aZ* list (3 Y A (rev(a 0 ) = rev(a • a) • /?)} 

{3a a /3. list aZ* list (a • j3) X A (rev(a 0 ) = rev(a) • a • (3)} 

{3a /3. list aZ* list (3 X A (rev(a 0 ) = rev(a) • /?)} 

Y:=X; X:=Z 

{3a [3. list a X* list [3 Y A (rev(a 0 ) = rev(a) • /?)}) 

{list (rev(a 0 )) Y} 

Proof outlines like this are superficially similar to annotated Hoare triples as 
described for verification condition generation. They do specify what has to 
be done to get a complete proof, namely: 

• prove h P => Q for each sequence of sentences {P}{Q}] 

• prove h {P} C {Q} for each occurrence of a Hoare triple. 


However, proving these is not always straightforward or mechanisable. 

• There is no established methodology for proving P => Q when P, Q are 
arbitrary assertions of separation logic - one relies on manual methods 
from incomplete sets of axioms and rules, or decision procedures for 
weak subsets. 

• The assignment axioms of separation logic only support local reason¬ 
ing about the sub-heaps involved - one needs to the extend local Hoare 
triples given by the axioms to global ones using the frame rule, and find¬ 
ing the right frame to use is tricky and heuristic, somewhat analogous 
to finding invariants, rather than algorithmic (it’s related to abduc¬ 
tion [4]). 
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Thus proof outlines are (currently) mainly an informal notation for writing 
down hand proofs. 

Mechanising separation logic is an active research area. Most success 
so far has been on just verifying shape properties (i.e. shape analysis). The 
classic work is a tool called Smallfoot (google Smallf oot Berdine). A recent 
project at Cambridge to mechanise reasoning about the content of data- 
structures, rather than just their shape, is Holfoot (google Holfoot Tuerk). 

In addition to the mechanisation of separation logic, there is much cur¬ 
rent research on extending the logic to support mainstream programming 
methods, like concurrency and object-oriented programing. 
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